Hello

I understand custom actions have a JWT token on the “Authorization” header that allows my server to verify the source of the call, but what about webhooks? I’ve noticed there’s no such header, so how can I validate the webhook call came from Monday.com?

Hello @sp-keyzy!

Welcome to the community, we hope you like it here

You are correct in that webhooks do not provide the benefits that come with the authorization header included in custom actions.

However, our servers will send a "challenge’ to your URL to verify that you control the endpoint you provide. Our platform checks this by sending a JSON challenge to your endpoint, and your app should respond back with the same challenge.

We will send a JSON POST body, containing a “challenge” field. This is a randomly generated token that we expect you to return as a “challenge” field of your response JSON body to that request.

Here is what the “Challenge” will look like:

{
 "challenge": "3eZbrw1aBm2rZgRNFdxV2595E9CY3gmdALWMmHkvFXO7tYXAYM8P"
}

The response body should be an identical JSON POST body:

{
 "challenge": "3eZbrw1aBm2rZgRNFdxV2595E9CY3gmdALWMmHkvFXO7tYXAYM8P"
}

Here is a simple example in JavaScript of a webhook listener that will print the output of the webhook and respond correctly to the challenge:

app.post("/", function(req, res) {  console.log(JSON.stringify(req.body, 0, 2));    res.status(200).send(req.body);})

The problem with challenge is that I get it only when I register the webhook, not when it triggers

Is there a way to do an official feature request to get some sort of authentication available to webhooks?