Verification of Webhooks
A new security feature has been added to Xurrent’s Webhooks API. This feature ensures that Xurrent verifies whether a webhook’s endpoint is actually owned by the organization that specified the endpoint in the webhook.
Now, when a new webhook is registered, Xurrent immediately sends a webhook.verify message to the endpoint specified in the URI field of the webhook. The payload of this webhook message contains a callback parameter that must be called to prove ownership of the endpoint. A webhook is inactive until the verification callback is received by Xurrent.
Xurrent considers all webhooks that already existed ‘verified’ so the extra verification step is required only for new webhooks and webhooks in which the value in the URI field is updated.
More information about Webhook verification can be found in the Xurrent Developer Documentation.