Webhooks and Short Lived Tokens

monday Apps & Developers
,
1

I have a Monday Code hosted app that I’m working on implementing webhooks for, but I’m having an issue getting a shortLivedToken.

This code handles the webhook POST call:

import { NextResponse } from 'next/server';
import jwt from 'jsonwebtoken';
import { headers } from 'next/headers';

export async function POST(request: Request) {
  try {
    const headersList = headers();
    const authHeader = headersList.get('Authorization');

    const token = authHeader!.replace('Bearer ', '');
    const clientSecret = process.env.CLIENT_SECRET;

    const decoded = jwt.verify(token, clientSecret!);
    const accessToken = decoded.shortLivedToken;
  }
  catch (error) {
    // handle error
  }
}

and decoded evaluates to:

    {
      "fields": {
        "dat": {
          "structValue": {
            "fields": {
              "client_id": {
                "stringValue": "b11**********************",
                "kind": "stringValue"
              },
              "app_version_id": {
                "numberValue": 104******,
                "kind": "numberValue"
              },
              "is_admin": {
                "boolValue": true,
                "kind": "boolValue"
              },
              "is_guest": {
                "boolValue": false,
                "kind": "boolValue"
              },
              "app_id": {
                "numberValue": 101******,
                "kind": "numberValue"
              },
              "install_id": {
                "numberValue": 112*****,
                "kind": "numberValue"
              },
              "user_kind": {
                "stringValue": "admin",
                "kind": "stringValue"
              },
              "user_id": {
                "numberValue": 620******,
                "kind": "numberValue"
              },
              "account_id": {
                "numberValue": 238******,
                "kind": "numberValue"
              },
              "is_view_only": {
                "boolValue": false,
                "kind": "boolValue"
              },
              "slug": {
                "stringValue": "example-app",
                "kind": "stringValue"
              }
            }
          },
          "kind": "structValue"
        },
        "exp": {
          "numberValue": 173********,
          "kind": "numberValue"
        }
      }
    }

This is very different from the shape of the object in the Authorization Header documentation:

{
  "accountId": 1825528,
  "userId": 4012689,
  "aud": "https://www.yourserver.com/endpoint",
  "exp": 1606808758,
  "shortLivedToken": "SHORT_LIVED_TOKEN_HERE",
  "iat": 1606808458
}

There’s this caveat in the documentation: “We will not issue a short-lived token if your app’s endpoints do not start with https:// .”

But my webhooks url starts with https://. This is it: https://live1-service-23******-f43*******.us.monday.app/api/webhooks

My decoded token data is so drastically different from what’s in the docs. I’m not sure if I’m just totally off track or if the docs are outdated for this.

Any guidance would be sincerely appreciated!

2

Hello there @bradfoster,

Would you be able to please fill this form adding as much information as possible to it (such as app ID, account ID, timestamps, etc.) so that our team can take a look into it?

3

Hi @Matias.Monday thank you for the reply - I submitted ticket #3706301.

4

The authorization header JWT sent with webhooks (the webhooks created with the API create_webhook) is not the same as the JWT sent by recipe sentence builder (or workflow builder) actions.

Only the actions for integrations/workflow builder contain the shortLivedToken.

The ones sent with webhooks is the same as the sessionToken you get with UI features (monday.get('sessionToken')) - and does not contain a shortLivedToken.

1 Like