Endpoint.url_validation Event Not Triggered

Hi team,

In this thread, Zoom staff said ngrok is on a trusted-domain allowlist, so the endpoint.url_validation (CRC) event is skipped for it.

I’m seeing similar behavior with other domains: validation passes for https://webhooks.preview.workato.com and even https://workato.com without my endpoint handling any CRC challenge.

Questions:

  1. How is the trusted-domain allowlist determined, and can other platform domains be added to it?
  2. If a domain is not on the allowlist, is receiving the endpoint.url_validation event a reliable signal of that?
  3. Does this differ between Server-to-Server OAuth and Webhook-only apps?

Thanks!