Webhook Security Update - Neto v6.354.0

What's changed?

Up until now, Neto has sent the webstore's Global API Key as a Header in all Order Notification calls. Which allows your application to validate the API Key and ensure the notification came from Neto, and in particular which Neto webstore.

While all Order Notifications are sent via POST, this could still pose a concern if a Webhook URL was accidentally updated in the control panel and a notification sent to an unexpected application.

To mitigate this risk, as of Neto v6.354.0 the Global API Key is no longer sent as part of the Order Notification. Instead a new Webhook Verify Token is sent in its place. As this token has no connection to the Neto API, it cannot be used to make authenticated calls to the Neto API.

To avoid any breaking changes the name of the Header sent with the webhook has not changed, just the value of the Header. Further, the Webhook Verify Token will default to the Global API Key value until regenerated.

What do I need to do?

If you are currently using the Neto webhook feature, you must update your Webhook Verify Token API Settings value. From your Neto control panel, navigate to: Settings & Tools > All Settings & Tools > API Settings and click the Regenerate button next to the Maropost Webhook Verify Token value. Finally, click Save Changes.

Webhook Verification Settings

If your application is using the Global API Key to validate the webhook notification you will need to compare the NETOAPI_KEY Header value against the Webhook Verify Token value instead.

Was this article useful?

Be notified when this page is updated. Optional.