Webhook v3: authentication and/or custom HTTP headers

Hello,

Is there some authentication feature for Webhooks v3?
AFAIK the only solution is by using Basic Auth in URL like mentioned there for v2:


Right? Did I miss something?

Webhooks v2 allows to set custom headers. How to set custom headers with webhooks v3?

Regards,
SĂ©bastien

Hello SĂ©bastien

At this time, using Basic Auth in the URL is still the solution for authentication in Webhook V3.

Currently, V3 webhook subscriptions do not support the custom headers that are available in V2 webhooks, however this capability is in development.

Regards,

Hi Chiedu,

Thanks for your answer.
Please let me know - here or via DM - your internal ID/reference about the custom HTTP headers feature for webhooks v3 then I will be able to follow progression with my CSM.

Regards,
SĂ©bastien

Hi SĂ©bastien,

Unfortunately, our internal references for features in development do not have a customer-facing component that we can share. Sorry about that!

In the spirit of being fully transparent, we do not currently have an ETA on releasing this functionality. Things can change rapidly during the development process, so I don’t like to guess about release dates.

The Support team is always happy to help get your feedback to the Product team. If you’d like to weigh in on specific new features in the future, we highly recommend emailing support@pagerduty.com.

It is also worth pointing out that we recommend using Webhook Signature verification for V3 Webhook authentication whenever possible. This mechanism has strong security properties and in the future will provide support for rotating the signing secret with zero downtime.

Hi Charlie,

Thanks to point this out. And it’s something we will do.

As a huge distributed company, our strategy is to encourage (and if possible compel) this practice. But each feature team is accountable of this.
However, to expose their endpoints - as they are webhook handlers for a SaaS service - they must use the company’s gateway. Here we’re able to manage global security rules like force at least one of the whitelisted identification/authentication mechanism.
But no signature verification to avoid CPU-bound limits on the Gateway, to avoid secret sharing problems, and so on.

Hope it helps you to better understand our concerns. And not only ours as I found other posts about this.

Regards,
SĂ©bastien

Hi SĂ©bastien,

This is Tom from the PagerDuty support team. I hope you don’t mind my stepping in here.

Thanks for your detailed feature request! I’d also like to point out that whenever possible, we recommend using Webhook Signature verification for V3 Webhook authentication. This mechanism has strong security properties and in the future will provide support for rotating the signing secret with zero downtime.

Is there anything else I can assist with at the moment? If not, I’ll go ahead and close this support ticket to share your feedback with our Product team.

Kind regards,

Thanks Thomas. I read Charlie suggestion and you provide the same one. So I already explained why it should not be enough, and I hope PagerDuty staff will listen to our concerns (and we’re not the unique customer, see the link I provided)

Hi Sebastien,

Thank you for your feedback. This is taken into consideration for webhooks V3 as a feature request, team will keep this thread posted on progress.