Callback and callback key

Hey Sara, The callback key is passed through the Authorization header as "Basic {callbackKey}". You'd use this to make sure you're receiving notifications that contain our shared secret, so you know you're not getting spoof calls and can react accordingly. The body of each call may vary based on the notification event type. Hope this helps. Let us know if you need more! :)

Thanks for the response, so there is no option for oAuth2.0 for the callback? Thanks

Not to my knowledge. I'll check, tomorrow, with support, to make sure there isn't some hidden back office configuration that I'm unaware of. Otherwise, your only option would be to encode/encrypt your username and password into some sort of key that you could decode/decrypt on your side to verify the request.

Just wanted to let you know that I verified this to be correct. Callback keys are the only configuration available to secure this info. No personal or confidential information is passed through callbacks. Hope this helps. If you'd like to submit a request for different security options, you'll have to email support at [email protected]

Thank you for checking on this. We are not looking to pass any personal info. Our platform requires at least oAuth 2.0 Authentication for rest APIs and we need to find a workaround as oneSpan is only supporting Basic Auth for Callbacks. Thanks --Sara

You could look at using a proxy or something to add the appropriate info or building a separate pass-through, listener application that can accept the callbacks and forward them to your application with the appropriate authentication. Those would be my initial workaround thoughts while waiting on any resolution from an enhancement request.