Showing results for 
Search instead for 
Did you mean: 
Sign up Log in

It's not the same without you

Join the community to find out what other Atlassian users are discussing, debating and creating.

Atlassian Community Hero Image Collage

How to verify 'installed' webhook payload?

I have made an atlassian connect application for Bitbucket and I have implemented JWT token validation, but there's a problem.

The payload I get when someone installs the app for the first time on their account simply lacks Authorization header and thus JWT token. Unlike what the documentation claims, this header is  absent not just on first installation globally but on every first installation for each account.

The question is, how do I verify these installed events? When using a registered app I know the shared secret from my console, and I can check if shared secret given in the payload matches the one in my configuration. But if comparing shared secrets is sufficient for validation, why the whole process with JWT and qsh claim? The install hook request lacks a JWT token and thus it doesn't have any protections at all, it seems.

I do not know what is the general idea here.

0 answers

Suggest an answer

Log in or Sign up to answer
Community showcase
Published in Bitbucket

Powering DevOps with Bitbucket Server & Data Center

Hi everyone, The Cloud team recently announced 12 new DevOps features that help developers ship better code, faster   ! While we’re all excited about the new improvements to Bitbucket ...

1,804 views 0 7
Read article

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you