Webhook Verification - Chicken and Egg?


Hoping someone can point me in the right direction. In short, with the new webhook verification process do we now have a chicken-and-egg situation?

Let me explain…

When we go in to create a Server to Server Application, upon starting the creation process we are provided with the various credentials, including app secret, id and webhook secret.

Now, in order to configure a webhook, we need to use the webhook secret to perform the validation. So we need to ‘store’ this information, or re-write code to use the webhook secret before we can save the application? I’m hoping this makes sense.

Consider a scenario where users create an app with the intention of using the app to connect to a service. They need to save such credentials in the service but can only get these credentials by starting the create app process…

It seems strange that you can’t complete the app-creation process before saving the credentials in whatever service you are using.

Does this make sense? I might not be explaining it properly…


Great question @jon.wallace

You can save the application that you have created without validating a webhook. However, in order to get the webhook working you’ll want to validate using the secret token.

What I mean here is that you can see the token validation as part of the requisite code for setting up and testing your Webhook. However, it shouldn’t create a circular dependency.

Let me know if that helps to answer your question.