webhook callback security

RC GGI
RC GGI
inAPI & Developers

I am working with a client to integrate Smartsheet with their other system through the use of API and REST services. One of the things that got me interested is the use of webhooks to monitor what is happening in Smartsheet and to follow our event-driven architecture. My concern is, if I read the documentation correctly, I do not see configuration to provide authentication type for the callbackURL. Does this mean, Smartsheet is posting data to the callbackURL without any authentication and juet let the application / endpoint receiving the callback to check the authenticity of the message based on the secret key?

· Share on Facebook Share on Twitter

Best Answer

Answers

  • Sean Morgan
    Sean Morgan Employee
    Answer ✓

    Hello@RC GGI,

    There are two methods you have to verify the payload information is the Webhook ID and the authentication procedure is described here:https://smartsheet-platform.github.io/api-docs/#authenticating-callbacks-optional.

    As far as private information being sent to a "compromised" address, AFAIK a design consideration for our existing Webhooks design was to send "skinny" payloads such that customer data is not exposed in the payload. In order to retrieve that information an additional API request is required with a valid API token.

    Let me know if you have any questions!

    Regards

    Sean

    · Share on Facebook Share on Twitter
  • RC GGI
    RC GGI

    Hi@Sean Morgan,

    Thanks for the reply. That is what I thought as well. We can only authenticate by reading/examining the payload (which means the incoming request has already been "in" the receiving endpoint). This is a bit of a setback due to the fact that we are limited by security protocol and the API management tool we are using (that is all endpoints should be exposed through SSL and authenticated by at least basic authentication). This is just unfortunate as webhook will definitely fit our event-driven architecture. We might opt to make use of polled services to scan / monitor the sheets for any changes.

    · Share on Facebook Share on Twitter
  • JeremiahHorstick
    JeremiahHorstick ✭✭✭✭✭✭

    @RC GGIwhat about an AWS intermediary to authenticate with your end point?

    · Share on Facebook Share on Twitter

Categories

Widgets { get { return widgets; } set { widgets = value; } } When you update the Sight you get a JSON error. The API documentation states Update is for a dashboard name change - this does work ok. Can anyone confirm whether you can or cannot update…","snippet":"The sight object exposes Widgets as a get and a set. public IList Widgets { get { return widgets; } set { widgets = value; } } When you update the Sight you get a JSON…","categoryID":320,"dateInserted":"2023-08-23T16:10:13+00:00","dateUpdated":null,"dateLastComment":"2023-08-25T02:50:25+00:00","insertUserID":136172,"insertUser":{"userID":136172,"name":"BKing","title":"","url":"https:\/\/community.smartsheet.com\/profile\/BKing","photoUrl":"https:\/\/us.v-cdn.net\/6031209\/uploads\/defaultavatar\/nWRMFRX6I99I6.jpg","dateLastActive":"2023-08-25T14:24:11+00:00","banned":0,"punished":0,"private":false,"label":"✭✭"},"updateUserID":null,"lastUserID":139601,"lastUser":{"userID":139601,"name":"jmyzk_cloudsmart_jp","title":"jmyzk","url":"https:\/\/community.smartsheet.com\/profile\/jmyzk_cloudsmart_jp","photoUrl":"https:\/\/us.v-cdn.net\/6031209\/uploads\/userpics\/ZBVD3K8PY0D5\/n7CZ1F4XWEM9Y.JPG","dateLastActive":"2023-08-27T01:23:09+00:00","banned":0,"punished":0,"private":false,"label":"✭✭✭✭✭"},"pinned":false,"pinLocation":null,"closed":false,"sink":false,"countComments":3,"countViews":45,"score":null,"hot":3385740638,"url":"https:\/\/community.smartsheet.com\/discussion\/109346\/can-anyone-help-with-the-dashboard-api","canonicalUrl":"https:\/\/community.smartsheet.com\/discussion\/109346\/can-anyone-help-with-the-dashboard-api","format":"Rich","lastPost":{"discussionID":109346,"commentID":392512,"name":"Re: Can anyone help with the Dashboard api?","url":"https:\/\/community.smartsheet.com\/discussion\/comment\/392512#Comment_392512","dateInserted":"2023-08-25T02:50:25+00:00","insertUserID":139601,"insertUser":{"userID":139601,"name":"jmyzk_cloudsmart_jp","title":"jmyzk","url":"https:\/\/community.smartsheet.com\/profile\/jmyzk_cloudsmart_jp","photoUrl":"https:\/\/us.v-cdn.net\/6031209\/uploads\/userpics\/ZBVD3K8PY0D5\/n7CZ1F4XWEM9Y.JPG","dateLastActive":"2023-08-27T01:23:09+00:00","banned":0,"punished":0,"private":false,"label":"✭✭✭✭✭"}},"breadcrumbs":[{"name":"Home","url":"https:\/\/community.smartsheet.com\/"},{"name":"Get Help","url":"https:\/\/community.smartsheet.com\/categories\/get-help"},{"name":"API & Developers","url":"https:\/\/community.smartsheet.com\/categories\/api-developers"}],"groupID":null,"statusID":3,"attributes":{"question":{"status":"accepted","dateAccepted":"2023-08-24T07:38:40+00:00","dateAnswered":"2023-08-24T00:17:46+00:00","acceptedAnswers":[{"commentID":392255,"body":"

@BKing<\/a> <\/p>

\n \n https:\/\/stackoverflow.com\/questions\/56711545\/is-it-possible-to-change-widget-data-of-dashboards-through-the-smartsheet-api\n <\/a>\n<\/div>


<\/p>"}]}},"status":{"statusID":3,"name":"Accepted","state":"closed","recordType":"discussion","recordSubType":"question"},"bookmarked":false,"unread":false,"category":{"categoryID":320,"name":"API & Developers","url":"https:\/\/community.smartsheet.com\/categories\/api-developers","allowedDiscussionTypes":[]},"reactions":[{"tagID":3,"urlcode":"Promote","name":"Promote","class":"Positive","hasReacted":false,"reactionValue":5,"count":0},{"tagID":5,"urlcode":"Insightful","name":"Insightful","class":"Positive","hasReacted":false,"reactionValue":1,"count":0},{"tagID":11,"urlcode":"Up","name":"Vote Up","class":"Positive","hasReacted":false,"reactionValue":1,"count":0},{"tagID":13,"urlcode":"Awesome","name":"Awesome","class":"Positive","hasReacted":false,"reactionValue":1,"count":0}],"tags":[]},{"discussionID":109281,"type":"question","name":"Bridge and FedEx Module - Authentication Problem","excerpt":"I'm getting an authentication connect issue when trying to run the FedEx Module step in my Bridge job flow. I set up a FedEx Developer Account and created a test new project. When I run the Bridge job I get an error on on the Module run saying, \"failed to execute extension module : Authentication Failed\". I mapped the…","snippet":"I'm getting an authentication connect issue when trying to run the FedEx Module step in my Bridge job flow. I set up a FedEx Developer Account and created a test new project. When…","categoryID":320,"dateInserted":"2023-08-22T16:13:19+00:00","dateUpdated":null,"dateLastComment":"2023-08-25T14:18:51+00:00","insertUserID":148855,"insertUser":{"userID":148855,"name":"cabbsman","url":"https:\/\/community.smartsheet.com\/profile\/cabbsman","photoUrl":"https:\/\/aws.smartsheet.com\/storageProxy\/image\/images\/u!1!88cq90f5xTs!8sDpd7uL9Ps!kj4X4avpgGN","dateLastActive":"2023-08-25T14:19:44+00:00","banned":0,"punished":0,"private":false,"label":"✭✭✭"},"updateUserID":null,"lastUserID":91566,"lastUser":{"userID":91566,"name":"Genevieve P.","title":"Community Manager","url":"https:\/\/community.smartsheet.com\/profile\/Genevieve%20P.","photoUrl":"https:\/\/us.v-cdn.net\/6031209\/uploads\/userpics\/KHY4Y67W0VRX\/nF76D5N9MFB28.png","dateLastActive":"2023-08-25T20:36:29+00:00","banned":0,"punished":0,"private":false,"label":"Employee Admin"},"pinned":false,"pinLocation":null,"closed":false,"sink":false,"countComments":3,"countViews":54,"score":null,"hot":3385695730,"url":"https:\/\/community.smartsheet.com\/discussion\/109281\/bridge-and-fedex-module-authentication-problem","canonicalUrl":"https:\/\/community.smartsheet.com\/discussion\/109281\/bridge-and-fedex-module-authentication-problem","format":"Rich","tagIDs":[227,369],"lastPost":{"discussionID":109281,"commentID":392578,"name":"Re: Bridge and FedEx Module - Authentication Problem","url":"https:\/\/community.smartsheet.com\/discussion\/comment\/392578#Comment_392578","dateInserted":"2023-08-25T14:18:51+00:00","insertUserID":91566,"insertUser":{"userID":91566,"name":"Genevieve P.","title":"Community Manager","url":"https:\/\/community.smartsheet.com\/profile\/Genevieve%20P.","photoUrl":"https:\/\/us.v-cdn.net\/6031209\/uploads\/userpics\/KHY4Y67W0VRX\/nF76D5N9MFB28.png","dateLastActive":"2023-08-25T20:36:29+00:00","banned":0,"punished":0,"private":false,"label":"Employee Admin"}},"breadcrumbs":[{"name":"Home","url":"https:\/\/community.smartsheet.com\/"},{"name":"Get Help","url":"https:\/\/community.smartsheet.com\/categories\/get-help"},{"name":"API & Developers","url":"https:\/\/community.smartsheet.com\/categories\/api-developers"}],"groupID":null,"statusID":3,"image":{"url":"https:\/\/us.v-cdn.net\/6031209\/uploads\/G9UB21M8QHGL\/screenshot-28125-29.png","urlSrcSet":{"10":"","300":"","800":"","1200":"","1600":""},"alt":"Screenshot (125).png"},"attributes":{"question":{"status":"accepted","dateAccepted":"2023-08-25T14:00:28+00:00","dateAnswered":"2023-08-25T08:23:46+00:00","acceptedAnswers":[{"commentID":392524,"body":"

Hey @cabbsman<\/a> <\/p>

I'm not sure why you're getting the Authentication error, however I don't believe you need to connect to the developer account to track your FedEx parcel! 🙂<\/span><\/p>

Try disconnecting from the developer account and simply click Connect in the Extension:<\/p>

\n
\n \n \"Screenshot<\/img><\/a>\n <\/div>\n<\/div>\n

Hopefully this helps bypass the error. Let me know if that worked for you!<\/p>

Cheers,<\/p>

Genevieve<\/p>"}]}},"status":{"statusID":3,"name":"Accepted","state":"closed","recordType":"discussion","recordSubType":"question"},"bookmarked":false,"unread":false,"category":{"categoryID":320,"name":"API & Developers","url":"https:\/\/community.smartsheet.com\/categories\/api-developers","allowedDiscussionTypes":[]},"reactions":[{"tagID":3,"urlcode":"Promote","name":"Promote","class":"Positive","hasReacted":false,"reactionValue":5,"count":0},{"tagID":5,"urlcode":"Insightful","name":"Insightful","class":"Positive","hasReacted":false,"reactionValue":1,"count":0},{"tagID":11,"urlcode":"Up","name":"Vote Up","class":"Positive","hasReacted":false,"reactionValue":1,"count":0},{"tagID":13,"urlcode":"Awesome","name":"Awesome","class":"Positive","hasReacted":false,"reactionValue":1,"count":0}],"tags":[{"tagID":227,"urlcode":"api-and-developers","name":"API and Developers"},{"tagID":369,"urlcode":"bridge-by-smartsheet","name":"Bridge"}]},{"discussionID":109267,"type":"question","name":"Is there any way to get a sheetID from the KEY retrieved from a sheet access report?","excerpt":"I am a system admin, and we recently had to let go of our other system admin. I am trying to find out what sheets he had access to that I didn't, so I could could access to those sheets. The only way I can compare what I have access to versus was he had access to was a sheet access report, which has a sheet Key, not the…","snippet":"I am a system admin, and we recently had to let go of our other system admin. I am trying to find out what sheets he had access to that I didn't, so I could could access to those…","categoryID":320,"dateInserted":"2023-08-22T15:06:55+00:00","dateUpdated":null,"dateLastComment":"2023-08-23T14:06:57+00:00","insertUserID":137019,"insertUser":{"userID":137019,"name":"Samuel Mueller","title":"","url":"https:\/\/community.smartsheet.com\/profile\/Samuel%20Mueller","photoUrl":"https:\/\/us.v-cdn.net\/6031209\/uploads\/userpics\/B9G8B70WXQWC\/nKTI46EH9WQOM.jpg","dateLastActive":"2023-08-25T18:19:58+00:00","banned":0,"punished":0,"private":false,"label":"Overachievers"},"updateUserID":null,"lastUserID":137019,"lastUser":{"userID":137019,"name":"Samuel Mueller","title":"","url":"https:\/\/community.smartsheet.com\/profile\/Samuel%20Mueller","photoUrl":"https:\/\/us.v-cdn.net\/6031209\/uploads\/userpics\/B9G8B70WXQWC\/nKTI46EH9WQOM.jpg","dateLastActive":"2023-08-25T18:19:58+00:00","banned":0,"punished":0,"private":false,"label":"Overachievers"},"pinned":false,"pinLocation":null,"closed":false,"sink":false,"countComments":3,"countViews":41,"score":null,"hot":3385518232,"url":"https:\/\/community.smartsheet.com\/discussion\/109267\/is-there-any-way-to-get-a-sheetid-from-the-key-retrieved-from-a-sheet-access-report","canonicalUrl":"https:\/\/community.smartsheet.com\/discussion\/109267\/is-there-any-way-to-get-a-sheetid-from-the-key-retrieved-from-a-sheet-access-report","format":"Rich","tagIDs":[227,526],"lastPost":{"discussionID":109267,"commentID":392110,"name":"Re: Is there any way to get a sheetID from the KEY retrieved from a sheet access report?","url":"https:\/\/community.smartsheet.com\/discussion\/comment\/392110#Comment_392110","dateInserted":"2023-08-23T14:06:57+00:00","insertUserID":137019,"insertUser":{"userID":137019,"name":"Samuel Mueller","title":"","url":"https:\/\/community.smartsheet.com\/profile\/Samuel%20Mueller","photoUrl":"https:\/\/us.v-cdn.net\/6031209\/uploads\/userpics\/B9G8B70WXQWC\/nKTI46EH9WQOM.jpg","dateLastActive":"2023-08-25T18:19:58+00:00","banned":0,"punished":0,"private":false,"label":"Overachievers"}},"breadcrumbs":[{"name":"Home","url":"https:\/\/community.smartsheet.com\/"},{"name":"Get Help","url":"https:\/\/community.smartsheet.com\/categories\/get-help"},{"name":"API & Developers","url":"https:\/\/community.smartsheet.com\/categories\/api-developers"}],"groupID":null,"statusID":3,"attributes":{"question":{"status":"accepted","dateAccepted":"2023-08-23T14:05:46+00:00","dateAnswered":"2023-08-23T13:36:46+00:00","acceptedAnswers":[{"commentID":392096,"body":"

Hey @Samuel Mueller<\/a> <\/p>

They key is something you can provide to Support to help them find the specific sheet down the line, if needed. For your purposes, it can help identify different sheets when they have the same name. <\/p>

Here's more information:<\/p>

\n \n https:\/\/help.smartsheet.com\/articles\/2482665-sheet-access-report\n <\/a>\n<\/div>

Cheers,<\/p>

Genevieve<\/p>"}]}},"status":{"statusID":3,"name":"Accepted","state":"closed","recordType":"discussion","recordSubType":"question"},"bookmarked":false,"unread":false,"category":{"categoryID":320,"name":"API & Developers","url":"https:\/\/community.smartsheet.com\/categories\/api-developers","allowedDiscussionTypes":[]},"reactions":[{"tagID":3,"urlcode":"Promote","name":"Promote","class":"Positive","hasReacted":false,"reactionValue":5,"count":0},{"tagID":5,"urlcode":"Insightful","name":"Insightful","class":"Positive","hasReacted":false,"reactionValue":1,"count":0},{"tagID":11,"urlcode":"Up","name":"Vote Up","class":"Positive","hasReacted":false,"reactionValue":1,"count":0},{"tagID":13,"urlcode":"Awesome","name":"Awesome","class":"Positive","hasReacted":false,"reactionValue":1,"count":0}],"tags":[{"tagID":227,"urlcode":"api-and-developers","name":"API and Developers"},{"tagID":526,"urlcode":"system-admin","name":"system admin"}]}],"initialPaging":{"nextURL":"https:\/\/community.smartsheet.com\/api\/v2\/discussions?page=2&categoryID=320&includeChildCategories=1&type%5B0%5D=Question&excludeHiddenCategories=1&sort=-hot&limit=3&expand%5B0%5D=all&expand%5B1%5D=-body&expand%5B2%5D=insertUser&expand%5B3%5D=lastUser&status=accepted","prevURL":null,"currentPage":1,"total":216,"limit":3},"title":"Trending in API & Developers","subtitle":null,"description":null,"noCheckboxes":true,"containerOptions":[],"discussionOptions":[]}">

Trending in API & Developers

  • Can anyone help with the Dashboard api?

    The sight object exposes Widgets as a get and a set. public IList Widgets { get { return widgets; } set { widgets = value; } } When you update the Sight you get a JSON error. The API documentation states Update is for a dashboard name change - this does work ok. Can anyone confirm whether you can or cannot update…

  • Bridge and FedEx Module - Authentication Problem

    I'm getting an authentication connect issue when trying to run the FedEx Module step in my Bridge job flow. I set up a FedEx Developer Account and created a test new project. When I run the Bridge job I get an error on on the Module run saying, "failed to execute extension module : Authentication Failed". I mapped the…

  • Is there any way to get a sheetID from the KEY retrieved from a sheet access report?

    I am a system admin, and we recently had to let go of our other system admin. I am trying to find out what sheets he had access to that I didn't, so I could could access to those sheets. The only way I can compare what I have access to versus was he had access to was a sheet access report, which has a sheet Key, not the…