Forums
Home Product Q&A Discussion groups Articles Ask a question Search
Learning
Events
Champions

Forums

Articles
Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

When I receive a message in Atlassian, how can I specify that the source of the message is safe

lemon.wu
lemon.wu May 13, 2020

Hello, I am integrating jira recently. The authorization method I use is to add ApplicationLink.
 The specific connection is "xxxxxxxx.net/plugins/servlet/applinks/listApplicationLinks".
  After authorization, I will add a Webhook at the specified location(System->webhook),When I received the message, I only received the payload. For security reasons, how should I verify the third-party webhook? How can I trust the url you sent?

Answer
Watch
Like Be the first to like this
486 views

1 answer

0 votes
Andy Heinzer
Andy Heinzer
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
May 19, 2020

Hi,

I understand that you are looking to better understand how Jira will use webhooks.  However I am a bit confused here.  Your question has a jira-software-server tag, but your descriptions seems to indicate that you're using an example.atlassian.net/ address which would be more indicative of a Jira Cloud site.  It's possible that the answer to your question could be different between Jira Cloud and Jira Server platforms.

There are several different ways to create a webhook for Jira Cloud. It could be that you are doing this manually, however the fact that you are creating an application link makes me suspicious that perhaps you are creating a connect app here, is that accurate?  Connect apps have restrictions in regards to the webhooks that they can register within Jira Cloud.

But if I understand your concern, you want to validate the source of the webhook, and not specifically the payload itself.  Reviewing the Cloud and Server docs on this, I don't see a clear method for doing this.  The Cloud documentation on this topic does mention though that:

Every webhook contains the X-Atlassian-Webhook-Identifier header that provides an identifier for a webhook. This identifier is unique within a Jira Cloud tenant and is the same across retries.

Perhaps this header could be a means to identify the source.  I understand that this is not full proof as perhaps someone could make a request and change that header, but I don't see a clear method for evaluating the source of these messages otherwise.   I did come across an older thread here in Community that seems related to this in https://community.atlassian.com/t5/Answers-Developer-Questions/Where-does-the-webhook-arrive-from/qaq-p/462347

The ultimate answer seems that there is not a means to do this short of

digging into the raw json request body and finding the URL somewhere in the links

as Marketa noted.

Sorry this might not be very helpful.  It might be more helpful to post in our Developer Community with this kind of question.  That platform tends to have more focus on the creation of apps/plugins/integrations with our products.

Andy

Reply

Suggest an answer

Log in or Sign up to answer
Jira
Jira
TAGS
AUG Leaders

Atlassian Community Events

    See all events
    Community
    Forums
    FAQs Forums guidelines
    Learning
    About learning Resources
    Events
    Champions
    Copyright © 2025 Atlassian
    Privacy Policy Notice at Collection Terms Security