Webhook authentication

Webhooks can be authenticated as explained in the configuration section. Authentication allows a webhook receiver to validate that the webhook is coming from AppDirect and not from some malicious software portraying itself as AppDirect.

The default value of a webhook authentication type is None, which as the name suggests, means no authentication information will be attached to webhooks. The Token option, when selected, prompts the user to enter a secret token. This secret token will be attached to every webhook sent to the webhook receiver endpoint as HTTP header. The header name under which the token is sent is x-appdirect-webhook-token (AppDirect-Webhook-Token for legacy webhook users). Upon receiving a webhook, a webhook receiver can check if the header value matches the token value before accepting the webhook. If the header value does not match the token value, the receiver sends the 401 Unauthorized HTTP response code.

The last two authentication types are variations of OAuth2:

• OAuth2 with Resource Owner Password: On selecting this option, the user will be prompted to enter the necessary information such as Access Token URI, Client ID, Client Secret, Username, and Password. There will also be an optional parameter - Scope.
• OAuth2 with Client Credentials: On selecting this option, the user will be prompted to enter Access Token URI, Client ID, Client Secret, and optionally Scope.

In both cases, with the inputs provided, the AppDirect webhooks implementation will initiate the requested OAuth2 authentication flow, and ultimately send the webhook to the webhook receiver with the HTTP Authorization header which contains the value of Bearer {access token}. The {access token} value is the access token obtained from the OAuth2 authentication flow.