I am using the webhook registration api to register webhooks for my users https://developer.atlassian.com/cloud/jira/platform/rest/v3/api-group-webhooks/#api-rest-api-3-webhook-post. However, these webhooks come without protection and hackers can spoof calls to our server and fetch sensitive data. Therefore it would be important to have a shared secret set up on both Jira and server side so we can have the webhook comminication verified. Or we could define the header as needed to include jwt for verification. However, OAuth2.0 App currently does not support this, and Forge App cannot be integrated directly into my NextJS webapp which I need to use it for authentication. Any help would be appreciated!
Hi @TianlinZhao
I found this, I think you can use a secret since 2024: https://jira.atlassian.com/browse/JRACLOUD-31953
From my experience this only works for the cloud space based webhooks, which does not apply to dynamically generated ones. The one you create from the cloud console won’t be fetched by the REST API and the one you registered using REST API won’t show up on cloud console as far as I can see.
Also the REST API itself does not offer a secret field for me to fill in when constructing the request body so I cannot set up a secret for it it seems like.
Hello @TianlinZhao
As you have discovered, it seems that adding security secrets to webhooks only applies to those global ones that are created within Jira’s GUI, and that same security secret cannot be applied to dynamic webhooks that are created using the respective REST API endpoints.
If this is a feature that is of importance to you, then JRACLOUD-96162 [Support Sending Jira Software Cloud Webhooks and Logs via Secure REST Endpoint with OAuth 2.0 JWT] is probably the one that best matches your requirement and you should be voting for.
Anyhow, just to give a different perspective, it’s been well known for a long time that webhooks are not secure communication channels; they were intended for sending real-time notifications of events, and not intended to protect sensitive data related to the event in a secure manner.
If your Jira Cloud instance contains data that is sensitive enough for your organisation to be worried about hackers spoofing calls to Atlassian’s cloud platform and fetching sensitive data, then you probably should reconsider using webhooks in the manner you’ve described. Maybe consider using them purely for notification of the event, then making an OAuth 2.0 authenticated request to the corresponding REST API endpoint, and collect the sensitive part of the data related to the event.
IMHO, if I were in your position, I’d be more worried about the security of the sensitive data once it had been transferred in situ to the external web app.
1 Like