saraizad | Posts: 17

Callback and callback key

0 votes
Hi, How the Callback Key is being passed when an event is raised? can you please provide a raw sample for the transaction including header tags? Would it be an oAuth? 'Bearer [callback key]' ? Thanks, Sara

mwilliams | Posts: 957

Reply to: Callback and callback key

0 votes
Hey Sara, The callback key is passed through the Authorization header as "Basic {callbackKey}". You'd use this to make sure you're receiving notifications that contain our shared secret, so you know you're not getting spoof calls and can react accordingly. The body of each call may vary based on the notification event type. Hope this helps. Let us know if you need more! :)

saraizad | Posts: 17

Reply to: Callback and callback key

0 votes
Thanks for the response, so there is no option for oAuth2.0 for the callback? Thanks

mwilliams | Posts: 957

Reply to: Callback and callback key

0 votes
Not to my knowledge. I'll check, tomorrow, with support, to make sure there isn't some hidden back office configuration that I'm unaware of. Otherwise, your only option would be to encode/encrypt your username and password into some sort of key that you could decode/decrypt on your side to verify the request.

mwilliams | Posts: 957

Reply to: Callback and callback key

0 votes
Just wanted to let you know that I verified this to be correct. Callback keys are the only configuration available to secure this info. No personal or confidential information is passed through callbacks. Hope this helps. If you'd like to submit a request for different security options, you'll have to email support at [email protected]

saraizad | Posts: 17

Reply to: Callback and callback key

0 votes
Thank you for checking on this. We are not looking to pass any personal info. Our platform requires at least oAuth 2.0 Authentication for rest APIs and we need to find a workaround as oneSpan is only supporting Basic Auth for Callbacks. Thanks --Sara

mwilliams | Posts: 957

Reply to: Callback and callback key

0 votes
You could look at using a proxy or something to add the appropriate info or building a separate pass-through, listener application that can accept the callbacks and forward them to your application with the appropriate authentication. Those would be my initial workaround thoughts while waiting on any resolution from an enhancement request.

Hello! Looks like you're enjoying the discussion, but haven't signed up for an account.

When you create an account, we remember exactly what you've read, so you always come right back where you left off