Workfront Fusion

EdwardDe2 · 7/1/25

Hi,

I am building out a Fusion Senario using webhooks. I was wondering what other strategies exist to limit access to the webhook besides an IP restriction?

We would be hosting a server in AWS and can't use a IP restriction to restrict inputs from it.

Are there access token restrictions you can setup? OAuth / JWT restrictions?

How do you secure your wehooks?

Sven-iX · 7/7/25

Hi @EdwardDe2

I pass the sessionID and the customer ID in the URL, then do a lookup in Workfront to validate the session, get its user, and validate the user is part of the customer record (and often, that they are a sysadmin) . Or pass the userID and sessionID and validate the userID belongs to the sessionID, e.g.
?s={!$$SESSION}&u={!$$USER.ID}

View solution in original post

CrisDonaldson · 7/1/25

You could enable "get request headers" under Advanced Settings and then capture the incoming headers. Then, add a filter right after the webhook trigger where you validate the token/key.

EdwardDe2 · 7/1/25

Thank you!

Unfortunately it doesn't look like at present the JWT module in Fusion can do verification of jwt keys, it can just create them, so we would use API keys.

It would be nice if there was a way to integrate fusion webhook scenarios with Workfront OAuth2 Applications so they could be more secure.

Sven-iX · 7/7/25

Hi @EdwardDe2

I pass the sessionID and the customer ID in the URL, then do a lookup in Workfront to validate the session, get its user, and validate the user is part of the customer record (and often, that they are a sysadmin) . Or pass the userID and sessionID and validate the userID belongs to the sessionID, e.g.
?s={!$$SESSION}&u={!$$USER.ID}

Workfront Fusion

Securing Fusion Webhook?

Learn

Documentation

Events

Community

Support

Resources

Adobe account

Adobe