Webhook Policy

To verify that a webhook request originated from the 4me account in which it is registered, the webhook payload can be cryptographically signed. This is achieved by linking one of more webhooks to a webhook policy. A webhook policy defines how 4me needs to cryptographically sign webhook messages. Within a webhook policy it is possible to select the algorithm that is to be used to sign the webhook messages.

When a webhook is linked to a webhook policy, the payload of its messages will be a JSON Web Token (JWT) encoded message. The public key from the webhook policy can then be used to decode and verify the payload. The private key of the webhook policy is known only to 4me.

Only a person who has the Directory Administrator role or the Account Administrator role of an account can maintain the webhooks of that account.

The Webhook Policy Fields page provides field utilization guidelines for each field of the Webhook Policy form.