A new security feature has been added to 4me’s Webhooks API. This feature ensures that 4me verifies whether a webhook’s endpoint is actually owned by the organization that specified the endpoint in the webhook.
Now, when a new webhook is registered, 4me immediately sends a webhook.verify message to the endpoint specified in the URI field of the webhook. The payload of this webhook message contains a callback parameter that must be called to prove ownership of the endpoint. A webhook is inactive until the verification callback is received by 4me.
4me considers all webhooks that already existed ‘verified’ so the extra verification step is required only for new webhooks and webhooks in which the value in the URI field is updated.
More information about Webhook verification can be found in the 4me Developer Documentation.