Webhook api-key


I am integrating my monday app to an api gateway on aws. But all external requests will need security applied to access the api gateway and therefore send the dedicated api key in the headers. How can do to set the actual api key from the aws api gateway on the requests send by my monday webhook ?

You cannot. The webhooks you create from the integration on a board, do not contain any authentication, nor is there an ability to add one.

If you want to authenticate, you need to use the full apps framework, and create an integration feature. Within that you can create recipes that send payloads you define - and include a JWT signed by your apps signing secret you can verify in your lambda.

If you go that route you can create a lambda authorizer for API Gateway, which will verify the jwt, and can reject it before the requests reaches your actual lambda function.

With the apps framework, when you get a jwt, it includes a short lived API token (5 minutes) to make API requests. You can use this to create additional webhooks through the API (like the ones created in integrations). However these ones will include a JWT to authenticate them, since now there is something with a secret attached to it.

You MAY be able to work around this by creating an app with the framework and get your way through the OAuth process to create an OAuth token which you can then use with the API to create webhooks that have authentication headers. But this is beyond easy discussion here.

Actually the webhook is a feature of an app. I guess I’ll go with the lambda authorizer for API Gateway with the signing secret

Thanks @codyfrisch

You can of course just put the authorization in the main lambda if you’re only doing one lambda but that seems… unlikely. Using the authorizer also means that the only thing you’re accessing is the authorization header - the body of the event isn’t even accessible. This reduces the ability of someone to manipulate code and access your secrets in some fashion since the lambda that does the actual processing of the payload can have entirely different permissions (no access to the secret from secret manager for example).

Also Homepage - Powertools for AWS Lambda (TypeScript) will make your life much easier in lambda world. Includes a parameters feature that makes getting secrets much easier. As well as a pretty decent logger.