FAQs

Q. Should authentication be done just though signature verification of payload?  Or, should jwt bearer token with IAM authority be used?

A. Jwt bearer token authentication is recommended since middleware can be used to authenticate the header. Signature validation was included initially to support validation when authentication was not centralized but can still be used when IAM is not used.

Q. Is bearer token included in "subscription validation" event?

A. No, it is not currently. So the webhook needs to optionally allow anonymous access.

Q. When using signature validation, if it fails what http response code should the webhook return?

A. Return 200. Then send event-acknowledgement with payload {action:"Singature Validation", message:"Signature validation failed", status:failed}

Q. Should webhook return any other http response code other than 200?

_A. In short, No. Once the webhook receives the event it should always respond with 200. Then send event-acknowledgement to denote success/failure. In the case of invalid jwt bearer token it should respond with standard 401.