Webhook authorization headers

The current implementation of the webhook system does not allow any form of authorization on the outgoing request. Could this be considered as a feature in a future release?


Hey Vanhuysse,

What solution does require authorization for webhooks? What are you actually trying to configure?


I was trying to get Atlassian Jira to listen for a specific webhook (through a custom plugin). Due to how Jira works by default, it would have been convenient if the incoming post request was signed. Authorization header seemed the most logical option for that. Though by now, we have reconsidered our design, configuring Jira somewhat differently to allow unauthorized incoming requests and extract an actor identity from the data that is sent with the webhook.

To conclude, currently the point of authorization headers is moot for us. 


Ok, thank you for the clarification. Looks like it's a canonical way handle post requests, which should work in most cases and not especially with Upsource. For now, we don't see authorization headers in webhooks as a feature for the nearest future.


Please sign in to leave a comment.