missing webhooks assoc with my user when calling through api

I have two active webhooks that I created under my user that are running on zapier. When i try to list them in a GET call i get back an empty list.

 import os
 import requests
 
ACCESS_TOKEN = os.environ.get("ASANA_ACCESS_TOKEN")
API_URL = "https://app.asana.com/api/1.0"
headers = {"Authorization": f"Bearer {ACCESS_TOKEN}"}
url = f"{API_URL}/webhooks/?workspace=293275407418062"
 
r = requests.get(url, headers=headers)
r.json()
# {'data': []}

Hi @Yoni_Sidi,

Are you 100% sure that ASANA_ACCESS_TOKEN is giving access to the same Asana user account that created the webhooks? It must be the same one or you’ll get the result you’re seeing.

The webhooks are assoc with a token or a user gid? The token should be assoc w the same user gid, right?

Webhooks are associated with the Asana user account of whatever Asana account you authenticated to when you created the webhook. Make sense?

In theory, it should work this way; in practice though when I generate a webhook from the same user using a token and then query for that webhook from the same user using another token I get an empty response back.

Hi @Yoni_Sidi , sorry for the confusion. I reached out to our engineer team and they wanted to clarify that webhooks are tied to the token, so per (user, oauth app). Going by this definition, the result that you encountered in your scenario makes sense.

Example Scenario

  1. Create 2 personal access tokens from the developer console. Let’s call these TOKEN_1 and TOKEN_2
  2. Establish a webhook (POST /webhooks) using TOKEN_1
  3. Call Get multiple webhooks (GET /webhooks) using TOKEN_1 → Result = Shows webhook that we established in step 2
  4. Call Get multiple webhooks (GET /webhooks) using TOKEN_2 → Result = DOES NOT show webhook that we established in step 2

We also clarify this in our description for “Get multiple webhooks”

“Get the compact representation of all webhooks your app has registered for the authenticated user in the given workspace.”

Thanks for the clarification.

In this scenario, an app is a token?

Is there any way to retrieve all webhooks across a user in the case the user doesn’t have all the tokens?

This doesn’t make any sense. The API docs clearly state that /webhooks will pull all of the webhooks for an authenticated user - not the Token. Nor does it make any sense that we’d ever want just the webhooks for a particular token (e.g. not a feature - definitely a bug).

I think there may be some misunderstanding of what @John_Vu means when he refers to a “token”. John, can you clarify?

Hi William,

Apologies for the late reply. Admittedly our documentation is not that clear.

When we say “all webhooks your app has registered for the authenticated user in the given workspace” it implies that you have built an app that uses OAuth to authenticate users and make API calls on the behalf of that user. When a user gives your app permission to make API calls on their behalf using OAuth, your app will receive an access token to make API calls on their behalf. This token can be used to establish webhooks for the user of your app. When your app calls GET /webhooks for that user using the token provided through the OAuth process they will get all webhooks that your app has registered for that user. The keywords here are “all webhooks your app has registered for the authenticated user”.

I talked to our webhooks team and they said that this is not a bug and the intended behavior. The reason being is because we do not want apps to be able to modify each other’s webhooks that they created for their users.

Take this scenario, if webhooks were truly tied to the user that means any app that creates a webhook can call UPDATE /webhook and modify the webhook that another app has established for that user. Because of this reason, this is why webhooks are tied to the Personal Access Token or authenticated user of an OAuth app.

I know this can be confusing. Let me know if this explanation doesn’t make sense. And I can try to explain in another way.

@Yoni_Sidi to quickly answer your question: No there is no way to retrieve all webhooks across the user in the case the user doesn’t have all the tokens.

We use the term “token” because there are two common ways to make API calls with Asana both of which use tokens to make API calls:

  1. Using a Personal Access Token (PAT)
  2. Using the access token provided by an authenticated user through an OAuth app

For case 1, when you establish a webhook using a PAT, that webhook is tied to that PAT. So when you call GET /webhooks using that PAT it will return all webhooks that was established by using that particular PAT. This is why when you try to call GET /webhooks with another PAT you don’t see webhooks established using other PATs.

For case 2, a user authenticates with an OAuth app and in turn the app receives an access token that it can use to establish a webhook for that authenticated user (most of the time this access token is abstracted through a OAuth library so you rarely see it). So when the OAuth app calls GET /webhooks for that user it will return all webhooks that were established for that user of the OAuth app.

2 Likes