monzo
How to verify webhook events are coming from Monzo?
I'm not sure whether or not it's possible to verify the source of a webhook event from the POST request. If it's not, there should be a hard-to-guess "password" in the URL you use to register for webhooks, so an application can read it in the POST request.
At the moment, this isn't possible I'm afraid 😞 In the future, we will provide a way to cryptographically assert a webhook is from Monzo.
I would appreciate such a protection aswell. Otherwise everyone knowing the webhook endpoint could send fake data 😢
Why not just use a query parameter and check that value in your webhook receiver?
@scottrobertson In general this is not bad indeed - but a cryptographic identification (e.g. by providing a private key signature) would provide even higher security.
Until then I'll go with the query parameter. Thanks 👍
Oh sure, but that ain't gonna happen any time soon sadly due to the API being on hold.
@obeattie I was really surprised to see that HMAC is not implemented for webhooks such as you'd see with GitHub or Patreon. It's not the only way to do this, but should be relatively straight-forward.
What would you recommend for developers building apps right now? What if someone discovers a webhook receiver for a Monzo integration?
I also joined Slack and was told that the UI portal won't accept logos despite showing the field (it just gets removed with no feedback) - then after adding an app nothing shows up in the Clients UI - you have to log out and log in again. There is no user feedback, I had to join Slack and report the issue to find this out. Any chances of some updates to the developer-documentation for known issues?
