Podio API - webhooks insights

0
votes

Since apparently you're not reachable for API questions via email, I guess I'd have to put all the questions in here since it would be tedious to create one for each of them.

So we're planning on creating a webhooks system for our integrations to create a better experience for our users. There are a few pieces that are missing for our end to support having a Podio integration that runs 100% on webhooks.

  1. Support organization level webhooks instead at the space level.
  2. Send full object payload in the webhooks push so we don't need to fetch the resource again. Or at least provide a delta of changes.
  3. Have a secret token header that you send with each request so we can assure the authenticity of the data (that it's actually from Podio and it's not someone trying to hack our system).

Github does a great job with this: https://developer.github.com/webhooks/#delivery-headers.

  1. Ability to unsubscribe from a webhook if the client revokes the OAuth credentials. Do you automatically delete that webhook or do we need to contact the user or you guys to get rid of it?

Trello for instance deletes all webhooks associated with a token if it's revoked or a second option is our server sends a 410 Gone back and the webhook, well you guessed it, it's gone.

Do you think something like this is feasible in the near future?

1
podio

1 Answers

1
votes

Thanks for your insights :)

  1. Seems pretty valid point. Are there any particular org operations that you are interested to have webhooks for? Can you also describe some use-cases for org level webhooks?

  2. Sending full object payload is pretty complicated because items in Podio can be extremely big and it might be not needed for webhook to get all details. That's why we keep it small and tiny and let Podio partners build own complicated solutions based on webhooks.

  3. Secret token is not much needed if there is only item_id sent in webhook. Let's review it on item modified scenario.

    1) User (or anything else) modifies item
    2) item.modified webhook is triggered with item_id
    3) 3rd party app receives webhook
    4) 3rd party app makes a call to Podio API (if it's needed) and gets all required information from Podio API

So, if webhook request is fake, then Podio API will return same item details and nothing is affected. If you want to have some extra layer of security: why not making webhook URL unique and specific to webhook? Then only Podio will know which URL to use to trigger this webhook.

  1. Ability to unsubscribe from a webhook if the client revokes the OAuth credentials.
    Sorry, but I don't understand your question. Can you please re-phrase it as new StackOverflow question?