The table below lists the fields of the Webhook Policy form and provides utilization guidelines for each field.
Field Label
Utilization Guideline
JWT algorithm
The JWT algorithm field is used to select the algorithm to use for cryptographic signing of webhook messages. If cryptographic signing is used, the algorithm for decoding a received message needs to be specified to ensure that an attacker cannot bypass the algorithm verification step. See also JSON Web Algorithms (JWA).
Claim expires in
The Claim expires in field is used to specify the expiration time on or after which the JSON Web Token (JWT) must no longer be accepted for processing. The payload of a webhook will have an “exp” (expiration time) claim based on this value. The processing of the “exp” claim requires that the current date/time must be before the expiration date/time listed in the “exp” claim. Implementers may provide for some small leeway, usually no more than a couple of minutes, to account for clock skew. For more information see “exp” (Expiration Time) Claim of a JSON Web Token (JWT).
Audience
The Audience field is used to specify the value for the audience claim. The audience claim identifies the recipients that the encrypted message is intended for. For more information see “aud” (Audience) Claim of a JSON Web Token (JWT).
Webhooks
The Webhooks field is used to select the webhooks that must use this webhook policy to cryptographically sign their messages.