Webhook signature & webhook for tasks

Hello Asana community!

I have two questions related to webhooks

1) About the secret and the signature

The practice used is slightly different from the one used by most of the other tools that use webhooks. This means that usually the “secret” is shared once (is usually available on the app dashboard or similar) and it isn’t different for each webhook set.

Having a different secret for each webhook implies somehow that I’ve to store the secret when I receive the first post from Asana, during webhook creation. But how is it possible to distinguish this call from the one made from an attacker since it’s not signed or authenticated in any other way? Also what if I set multiple webhooks for the user (let’s say for all the projects he can see) do I need to store all the secret? (trusting that they all come from Asana and not someone else?)

Am I missing something?

2) Being notified about new tasks

The webhook related to new tasks seems to be available only when watching a project. (and not the workspace). Does this mean that if I want to track whenever a new task is created in any of the projects of the user I have to set a webhook for each project? (i currently have something like ~500 projects in asana, is it fine to set 500 webhooks?). Is there a better way to monitor the creation/update of a task?

Thank you all

I’m not using the Asana webhook authentication as the service I use has its own type of authentication, so I can’t really comment on this one, but I believe what you state is accurate.

Correct, you do.

It is, for sure. There is a limit of 10,000 webhooks per authenticated user per API app, so at 500 you are wayyyyyyy under the limit.

1 Like