Custom Header Support

Does Shotgun Webhooks development team plan to support custom headers?
Our team needs to authenticate users (in this case, Shotgun Webhook) who come to the AWS API Gateway with x-api-key header.
Ref. https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-api-key-source.html

4 Likes

Hi @koya_iwamura,

Welcome to the community and thanks for posting! Let me check it out with the webhooks experts.

2 Likes

Hi @koya_iwamura,
Thank you very much for the request. We had no concrete plans to support custom headers but your use case makes total sense.

I have opened a ticket for this.

3 Likes

Hi @koya_iwamura, I was looking into the custom headers suggestion, however, the doc you sent contains two different approaches to providing the authentication, is it possible that you could use the AUTHORIZER method instead?
I’ll admit I’ve not tried that myself self so I don’t know how simple it is or if there are any limitations?

2 Likes

The AUTHORIZER method is not suitable for Webhooks because they have to log in first to receive the token and then grant the token to make the request.
If Webhooks can send requests with arbitrary headers except the existing ones in Webhooks, then we can handle a variety of events(including authorization) with headers in the future.

1 Like

Wanted to provide an update that security implications were too great for us to support arbitrary custom headers. We may instead consider a more curated list.

1 Like