Understand the authentication options available for Webex Connect APIs and Webhooks
Authentication options for Webex Connect APIs and Webhooks
All requests to the Webex Connect APIs and Webhooks are authenticated using either a key or JSON Web Tokens (JWT). Here are the authentication details for various APIs offered by Webex Connect.
Note
If you are looking for Authentication details for Webex Connect Sandbox APIs, please refer here
| API / Webhooks | Authentication Types Supported |
|---|---|
| Messaging API (v1 and v2) | 1. Service Key 2. Service Specific JWT Tokens (Refer this page to know how you can access Service Keys and Jason Web Tokens for a Service in Webex Connect). |
| Custom Event API v1 | 1. Service Key 2. Service Specific JWT Tokens |
| Inbound Webhooks | 1. Service Key 2. Service Specific JWT Tokens |
| Contact Policy APIs | Profile Key (Available under Tenant Settings page. Refer this page for more info.) |
| RCS Capability Lookup API | 1. Service Key 2. Service Specific JWT Tokens |
| Profile API v2 | Profile Key (Available under Tenant Settings page) |
| Thread APIs | JWT Tokens (Refer JWT Set-up Tutorial in SDK Docs) |
| Segment APIs | JWT Tokens (Refer JWT Set-up Tutorial in SDK Docs) |
| Topic APIs | JWT Tokens (Refer JWT Set-up Tutorial in SDK Docs) |
Authentication Best Practice
You can use either Service Key or JSON Web Tokens (JWT) for authentication when using Messaging APIs, Custom Event API v1, inbound webhooks, and other APIs mentioned above. If you use both JWT authentication and Service Key in an API request, JWT authentication takes priority, and the Service Key is ignored.
Rotating API Authentication Credentials
We encourage you to rotate your API credentials (Service Key and/or JWT tokens) periodically to strengthen your security posture and prevent unauthorised access. Refer to this article to understand how you can create a new Service Key / JWT credentials and discard existing ones as per security best practices.
IP Allowlisting for APIs and Webhooks
Additionally, Webex Connect supports IP Allowed listing to validate the request source for Messaging API, Custom Event API, Inbound Webhooks, and user logins. Send an email to support team if you want to enable IP allowed listing for your tenant.