Our platform has an existing Webhook Only app that was created years ago but a developer who is no longer with the company. As part of increasing our security posture we would like to implement regular rotation of this app’s secret token while minimising losing events.
We have two questions we would appreciate the community could assistance with.
We would like to change this app’s owner. Does the app’s configuration change with an ownership transfer (e.g. secret token)? Any risk we should be aware of?
Server-to-server apps is documented to require credentials rotation after a transfer but I could not find any information specific to Webhook Only apps.
Any guidelines on how to rotate Webhook Only app’s secret tokens without any down time and losing events?
welcome to the community.
You can transfer the app owner within your domain. Access via the marketplace.
If you are using a server to server app then that has the authentication and codes as all marketplace apps do. Unlike other apps there is not a user authentication process to validate a user.
You webhooks will then be ‘connected’ to that app. As this is a push from Zoom, there is not the same authentication process.
server-server are limited to you and your account and the credentials dont have change.
Can you check for authentication by your app when your your webhook is valid when received.
Also do you have a ‘timed’ action that will check if a webhook is missed?
Thank you the information. I mentioned server-to-server apps as a comparison but I am interested in Webhook only apps.
I am trying to determine whether Webhook Only apps’ secret token will be automatically regenerated during an ownership transfer. I couldn’t find any offical documentation around Webhook only app’s secret tokens. We have a high traffic app so I cannot afford to lose events.
I will release a video on this but I hate server-server apps.
I use a lot of webhooks, but almost always will run an api to take an action after the notification.
Webhooks are amazingly reliable considering what they are .
If you have a high traffic app, then I would also setup a timed ‘backup’.
e.g. If I am waiting for webinars to complete for me to then take action.
I would run a daily (or less frequently) ‘catchup’ routine.
An API call to check on all the webinars to make sure I had not missed a notification.
In doing this call my auth token would have expired so i would used the refresh token first.
This then performs two actions
Checks that no hooks have been missed.
Refreshed the token
I call this my heartbeat function.
This allows me to confirm that system is working, live and up to date!