Skip to content

Commit 3498e4c

Browse files
rmcdanielrmcdaniel
authored
Clarify workflowId validation in webhooks documentation
Added a note about workflowId validation in webhooks.
1 parent 0793d87 commit 3498e4c

File tree

1 file changed

+2
-0
lines changed

1 file changed

+2
-0
lines changed

docs/features/webhooks.md

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -75,6 +75,8 @@ class OrderWorkflow extends Workflow
7575
POST /webhooks/signal/order-workflow/{workflowId}/mark-as-shipped
7676
```
7777

78+
**Important:** The `{workflowId}` in signal webhook URLs is passed directly by the caller and is not validated for ownership. If your application requires that only authorized users can send signals to specific workflows, you should use signed URLs or implement authorization checks in a custom authenticator.
79+
7880
### Example Request
7981
```bash
8082
curl -X POST "https://example.com/webhooks/signal/order-workflow/1/mark-as-shipped" \

0 commit comments

Comments
 (0)