book-build-apis-2 icon indicating copy to clipboard operation
book-build-apis-2 copied to clipboard

Published 20 hours ago verified publisher icon apisyouwonthate

Webhooks

Open philsturgeon opened this issue 10 months ago • 3 comments
trafficstars

"There's no good reason for signing webhooks" - https://www.speakeasy.com/post/no-good-reason-for-signing-webhooks

https://www.speakeasyapi.dev/post/openapi-tips-webhooks-callbacks

philsturgeon avatar Dec 31 '24 11:12 philsturgeon

I can think of a few reasons and I can't tell if the quotes are air-quoted alternative facts that need dealing with

lornajane avatar Dec 31 '24 16:12 lornajane

@lornajane I spotted this article and was curious about it. This is a note for me to follow up, but I'd love your thoughts too.

philsturgeon avatar Jan 06 '25 10:01 philsturgeon

Signing webhooks (or generally doing different stuff with them than with normal API calls) makes sense because the context is so different. Client makes API calls to the server and stuff like an API key can be checked there. When it goes out to a webhook endpoint, which could be anywhere and might have no data at all for Auth, everything needs to be included with the request. I'm not saying that we're necessarily doing it right as things are, but it makes sense that things are different in this context

lornajane avatar Jan 17 '25 17:01 lornajane