Securing Fusion Webhook?

Forum|Forum|6 months ago
July 1, 2025
2 replies
537 views

Hi,

I am building out a Fusion Senario using webhooks. I was wondering what other strategies exist to limit access to the webhook besides an IP restriction?

We would be hosting a server in AWS and can't use a IP restriction to restrict inputs from it.

Are there access token restrictions you can setup? OAuth / JWT restrictions?

How do you secure your wehooks?

Best answer by Sven-iX

Hi @edwardde2

I pass the sessionID and the customer ID in the URL, then do a lookup in Workfront to validate the session, get its user, and validate the user is part of the customer record (and often, that they are a sysadmin) . Or pass the userID and sessionID and validate the userID belongs to the sessionID, e.g.
?s={!$$SESSION}&u={!$$USER.ID}

CrisDonaldson

Level 3

You could enable "get request headers" under Advanced Settings and then capture the incoming headers. Then, add a filter right after the webhook trigger where you validate the token/key.

E

EdwardDe2Author

Level 2

Thank you!

Unfortunately it doesn't look like at present the JWT module in Fusion can do verification of jwt keys, it can just create them, so we would use API keys.

It would be nice if there was a way to integrate fusion webhook scenarios with Workfront OAuth2 Applications so they could be more secure.

Sven-iX

Accepted solution

Community Advisor

Hi @edwardde2

I pass the sessionID and the customer ID in the URL, then do a lookup in Workfront to validate the session, get its user, and validate the user is part of the customer record (and often, that they are a sysadmin) . Or pass the userID and sessionID and validate the userID belongs to the sessionID, e.g.
?s={!$$SESSION}&u={!$$USER.ID}

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded