About Zapier Community
New to our Community? Get to know more about our space and how to make the most of your time here.

Code of Conduct Community FAQ's Zapier Common Questions What to Expect

Get Started With Zapier
New to Zapier? We have got you covered with our Zapier 101 Resources.

Zapier Essentials

Get Support
Have a question? Let's get you an answer!

How Do I...? Troubleshooting Code & Webhooks Developer Zone

Other Help Resources
Wait, there's more! Check out these Community sourced spaces for additional resources.

Zapier Help Center Hire an Expert

Zapier Reading
All of our best learning resources can be found here.

Featured Articles Show & Tell AI Hub Zapier Tools Hub

Learning Groups
Excited to meet other builders? Check out our interest areas full of doers, dreamers, and in-betweeners.

User Groups

Other Learning Resources
Some of our favorite additional ways to upskill your Zapier knowledge.

Zapier Learn Zapier Blog Zapier Webinars

Product Updates
Check out what is new and upcoming with Zapier with our regular product updates.

Product Updates

Early Access Program
Want to join Early Access? Learn more here.

Best answer

Does Zapier support rest hook subscription verification tokens?

  • 10 November 2021
  • 4 replies
  • 177 views
asharma
Userlevel 2

Hi

I am following implementation guideline at resthooks.org. As part of the guideline, it suggests to validate the new subscription by sending a verification token to the hook URL.

Does Zapier trigger have the ability to support this verification.

icon

Best answer by Zane 11 November 2021, 00:42

View original
This post has been closed for comments. Please create a new post if you need help or have a question about this topic.

4 replies

asharma
Userlevel 2

Thanks for confirming this. I will make changes to accommodate our Zapier use case.

Z
Userlevel 7
Badge +9

Ah! Thanks for the clarification. So sending an subscription ack with a challenge to your server, rather than your integration validating the message. 

We actually do not support that today, and there’s no way to customize that behavior yourself. Hook message processing is asynchronous - a gateway receives the message, sends a HTTP 20x response, and closes the connection before your integration ever gets a handle to that message. 

This is actually something I’ve wanted to support for ages, but not something that’s immediately forthcoming - there’s a few challenges to getting it done in a way that works for all the various header names and variations we’ve seen of server implementations.

asharma
Userlevel 2

Thanks for the response. Just to clarify my original question, I was referring to security best practice to Confirming Receiver's Intent to Subscribe. I believe the receiver in this context will be Zapier trigger.

As described, a confirmation HTTP call is made to the hook URL which should simply return the token generated by the Sender (in case, of immediate confirmation). At this point, “bundle.subscribeData” is not available as it is not being created and is only available after the subscription is created.

Z
Userlevel 7
Badge +9

Yes, to do that you’ll implement that in your perform method. It’s not a function that’s handled automatically.

Whatever secret material (secret or signature verification key, etc) you’ll use to verify the token for messages on that subscription will need to be provided by your API in the subscription response. In your perform method you’d then access it from bundle.subscribeData when you’re validating the message. This is the most common flow I’ve discussed with folks, but there’s probably other options for sharing secrets and validating the message.

Let us know if you want to dig into a design or solution approach more.

Terms & Conditions