Webhook Security

Dataless notifications

  • High
  • Send webhook notifications without confidential data
  • Help reduce webhook security requirements
  • Can reduce request traffic with bulk operations
  • Webhook consumers must reach provider to gather information
  • Webhook consumers must have API keys to call the provider
  • API Performance and API Limits

Microsoft OneNote uses webhooks only to signal that an event has happened. The webhook payload carries only minimal data — event id, expiration date, resource, and state — without confidential details, reducing the risk of data breaches:

  "value": [
      "subscriptionId": "A640DFF3-0429-44FC-AF7E-30523A476864",
      "expirationDateTime": "2017-02-22T16:00:00Z",
      "resource": "/me/drive/root",
      "clientState": "client-specific string"

Upon receiving a webhook notification, consuming apps make a request to the provider to gather more details about the event.

While this technique helps reduce webhook security requirements, it requires webhook consumers to make proprietary API calls to the webhook provider to gather details. This adds implementation complexity for the webhook consumer and operational complexity with distributing API keys, handling REST API performance, and rate limits.