Are push notifications secured or authenticated in any way?

Author: Adam Bird

23rd February 2016

We don’t pass any authentication credentials with the notifications. We’ve allowed the callback_url to differ between notification channels (some APIs require it be fixed for all channels) so that you may embed some form of authentication token within the URL if you want an extra layer of security.

On top of requiring a valid OAuth token to create a notification channel in the first place, we can also whitelist domains that can be used for the callback URL. We also encourage the use of HTTPS in production, even though we’ve deliberately kept the notifications themselves free of sensitive information.

Avatar of Adam Bird

Adam Bird

Date: 23rd February 2016 | Category: