Webhooks and Short Lived Tokens

monday Apps & Developers
,
1

I have a Monday Code hosted app that I’m working on implementing webhooks for, but I’m having an issue getting a shortLivedToken.

This code handles the webhook POST call:

import { NextResponse } from 'next/server';
import jwt from 'jsonwebtoken';
import { headers } from 'next/headers';

export async function POST(request: Request) {
  try {
    const headersList = headers();
    const authHeader = headersList.get('Authorization');

    const token = authHeader!.replace('Bearer ', '');
    const clientSecret = process.env.CLIENT_SECRET;

    const decoded = jwt.verify(token, clientSecret!);
    const accessToken = decoded.shortLivedToken;
  }
  catch (error) {
    // handle error
  }
}

and decoded evaluates to:

    {
      "fields": {
        "dat": {
          "structValue": {
            "fields": {
              "client_id": {
                "stringValue": "b11**********************",
                "kind": "stringValue"
              },
              "app_version_id": {
                "numberValue": 104******,
                "kind": "numberValue"
              },
              "is_admin": {
                "boolValue": true,
                "kind": "boolValue"
              },
              "is_guest": {
                "boolValue": false,
                "kind": "boolValue"
              },
              "app_id": {
                "numberValue": 101******,
                "kind": "numberValue"
              },
              "install_id": {
                "numberValue": 112*****,
                "kind": "numberValue"
              },
              "user_kind": {
                "stringValue": "admin",
                "kind": "stringValue"
              },
              "user_id": {
                "numberValue": 620******,
                "kind": "numberValue"
              },
              "account_id": {
                "numberValue": 238******,
                "kind": "numberValue"
              },
              "is_view_only": {
                "boolValue": false,
                "kind": "boolValue"
              },
              "slug": {
                "stringValue": "example-app",
                "kind": "stringValue"
              }
            }
          },
          "kind": "structValue"
        },
        "exp": {
          "numberValue": 173********,
          "kind": "numberValue"
        }
      }
    }

This is very different from the shape of the object in the Authorization Header documentation:

{
  "accountId": 1825528,
  "userId": 4012689,
  "aud": "https://www.yourserver.com/endpoint",
  "exp": 1606808758,
  "shortLivedToken": "SHORT_LIVED_TOKEN_HERE",
  "iat": 1606808458
}

There’s this caveat in the documentation: “We will not issue a short-lived token if your app’s endpoints do not start with https:// .”

But my webhooks url starts with https://. This is it: https://live1-service-23******-f43*******.us.monday.app/api/webhooks

My decoded token data is so drastically different from what’s in the docs. I’m not sure if I’m just totally off track or if the docs are outdated for this.

Any guidance would be sincerely appreciated!

2

Hello there @bradfoster,

Would you be able to please fill this form adding as much information as possible to it (such as app ID, account ID, timestamps, etc.) so that our team can take a look into it?

3

Hi @Matias.Monday thank you for the reply - I submitted ticket #3706301.

4

The authorization header JWT sent with webhooks (the webhooks created with the API create_webhook) is not the same as the JWT sent by recipe sentence builder (or workflow builder) actions.

Only the actions for integrations/workflow builder contain the shortLivedToken.

The ones sent with webhooks is the same as the sessionToken you get with UI features (monday.get('sessionToken')) - and does not contain a shortLivedToken.

1 Like
6

@anon29275264 Since there is no short lived token in the JWT sent in the webhook, is there any way to authenticate the monday SDK? Our app doesn’t store an oauth token so we rely on the short lived token in requests to access their data.

For our specific use-case, we need to delete customer data on the uninstall webhook. Is there no automated way to delete the data since the webhook doesn’t come with any method to authenticate the sdk?

7

Assuming you’re using monday storage? In this case - nope, you’re forced to just leave the data behind.

Once they uninstall the app the oauth tokens are all stale too - the uninstall deletes a private signature generated for the app install. If they reinstall none of those saved OAuth tokens will work anymore either.

The data abandonment issue is known to monday and they have stated its something they intend to address. Not sure how they plan to though.