Webhook to allow for additional custom headers

  • 1
  • Idea
  • Updated 3 weeks ago
I'm currently transitioning some applications to the cloud (starter company everything was being hosted on premise). One of our applications listens to the Ring Central webhook for notifications. With Ring Central being cloud base, you are all well aware of the security needed to be included in such a move. To boost security, our application will be behind an API Gateway that requires an access key in the request header.

I couldn't find anything related in the documentation I was looking for. (Yeah, I could include an access key in the url but that's not secure enough for our standards).

If there was a way to include a specific headers in the valdiation token request and subscription webhook events, this will allow for your clients to put their server based apps behind their api gateway.
Photo of Brandon Hein

Brandon Hein

  • 288 Points 250 badge 2x thumb

Posted 3 weeks ago

  • 1
Photo of Tyler Long

Tyler Long, Official Rep

  • 6,298 Points 5k badge 2x thumb
RingCentral WebHook support verification token. When you register the WebHook, you can provide a verification token. So that every events will also has that token in header. Then your app can verify the token to be sure that even is from RingCentral.

In my opinion, you can set the verification token to your access key.
(Edited)
Photo of Tyler Long

Tyler Long, Official Rep

  • 6,298 Points 5k badge 2x thumb
https://developer.ringcentral.com/api-docs/latest/index.html#!#NotificationDeliveryModeRequest

API reference above is out-of-date. There is a property named "verificationToken" under "deliveryMode", please have a try.
(Edited)
Photo of Brandon Hein

Brandon Hein

  • 288 Points 250 badge 2x thumb
Thanks for the reply Tyler. Out of date forsure doesn't help. But i'll give that a try to see if that will work for us. My current work around is a proxy and sniffs out if it's truly a Ring Central post before reaching our application.

I looked at an option of using the valdiation-token ring central provides in the first webhook request to verify that it's my receiving application. But since that token/header is only used in the first call/post and doesnt come through in the event posts, it doesn't help. I guess that's only used to let Ring Central know it's okay due to how we respond back.

Essentially the idea is to include api headers along with the api endpoint that we include in the create webhook subscription post to Ring Central. I can provide a sample json of what I'm thinking you you'd like, just let me know.

Using AWS (Amazon Web Services)... you can place apis behind their gateway and restrict access to key. Other places I've done integration with require a Client Id and Client Secret as specific headers. Either way... if I was able to provide Ring Central more details on how reach my application rather than just an endpoint, it'd be awesome.

Thanks again
Photo of Tyler Long

Tyler Long, Official Rep

  • 6,288 Points 5k badge 2x thumb
I mean the doc is out of date. The verification token feature is NOT.

And validation token is NOT verification token. They are different.

> Essentially the idea is to include api headers along with the api endpoint that we include in the create webhook subscription post to Ring Central.

Yes that is how verification token works.
Photo of Tyler Long

Tyler Long, Official Rep

  • 6,288 Points 5k badge 2x thumb
For some reason the doc maintainer doesn't want to update it. I have escalated this issue. But you can go ahead to have a try: there is a property named "verificationToken" under "deliveryMode" when you create the WebHook.