Hi team,
In this thread, Zoom staff said ngrok is on a trusted-domain allowlist, so the endpoint.url_validation (CRC) event is skipped for it.
I’m seeing similar behavior with other domains: validation passes for https://webhooks.preview.workato.com and even https://workato.com without my endpoint handling any CRC challenge.
Questions:
- How is the trusted-domain allowlist determined, and can other platform domains be added to it?
- If a domain is not on the allowlist, is receiving the endpoint.url_validation event a reliable signal of that?
- Does this differ between Server-to-Server OAuth and Webhook-only apps?
Thanks!