Are push notifications secured or authenticated in any way?
Author: Adam Bird
23rd February 2016
We don’t pass any authentication credentials with the notifications. We’ve allowed the
callback_url to differ between notification channels (some APIs require it be fixed for all channels) so that you may embed some form of authentication token within the URL if you want an extra layer of security.
On top of requiring a valid OAuth token to create a notification channel in the first place, we can also whitelist domains that can be used for the callback URL. We also encourage the use of HTTPS in production, even though we’ve deliberately kept the notifications themselves free of sensitive information.
Date: 23rd February 2016 | Category: