Autotask Webhook - Too easy to generate new URI

:computer: Environment

We're using Autotasks and Relayers to perform meta-transactions from our dapps on Polygon networks (mumbai and mainnet).


Spent a couple hours today chasing down why all of a sudden our requests to an Autotask Webhook URI were returning a 200 payload with {"message": "Unauthorized"}

I eventually discovered that the Autotask URI had been regenerated. I don't recall regenerating, and nobody on my team does, but to be frank it's entirely possible someone clicked this little button thinking it was to refresh the table? Or just clicked it by accident?

Seems like we can prevent regeneration with RBAC for specific users, but I would suggest moving this button into the settings page for the autotask, or at least putting a confirmation step in.

Other improvements here could be an email notification when a URI is regenerated, and a more descriptive error message would also help - we use an Unauthorized() custom Solidity error in our contract, so thought we were hitting that rather than an OZ API issue.

Thanks OZ! Glad we found the culprit but yeah this feels like a dangerous UX...

1 Like

Hey @sbauck,

Thank you so much for reporting and also for providing us enough context.
This is not the first time we hear this issue. Indeed it's happened some times but nobody had taken the ticket. I just sent a PR so I'm aiming to get this out on the next release, here are some sneak peaks:

I'm adding a confirmation dialog and also changing the icon for one that's more warn-like. I'm interested in your feedback here in case we can improve it.

Regarding the error message behind the webhook URI. I'll take a look to see if we have control over it, since that message might be returned from our infra.

FWIW, I checked the logs and this is the userId who changed the Webhook URI: a1dfda7a-4e77-4b9d-9955-919186e88454

Let me know your thoughts about the new icon and dialog, and if you need anything else.

1 Like

LMAO that's my user id, getting aired out by logs, amazing.

Thanks @ernestognw this is a great fix, sorry to vent here!

1 Like

No problem @sbauch, actually I didn't say it was you to avoid airing you without consent :stuck_out_tongue:

We just released a new version in which a confirmation dialog was implemented.

Thanks for your feedback!

@ernestognw is there a programatic way to get the current webhook URI for a given autotaskId? I don't see it in the code or API docs and it would be helpful. I can get the token but there seems to be another id that is part of the webhook URI before the token.

Hi @EthosVentures

We currently do not return the webhook URI as part of the response. If you wish to run the autotask programmatically, you could leverage the runAutotask function.

I'd be interested however to know what your particular use case is for having the webhook URL returned as part of the response, perhaps I can relay this to the team.

I am planning to have the webhook used by a system that won't be leveraging the autotask-client. This is the point of the webhook, right?

In attempting to build out a test suite that would retrieve the webhook and make a POST to it, I found it wasn't possible to do programatically.

Thanks @EthosVentures, I have forwarded your request to the rest of the team. Will keep you posted!

Meanwhile, it might be useful for you to know the webhook URI is constructed as:


From the autotask response you will have access to the autotaskId and the token. The tenantId you can find in the UI, in the top-right corner, under the burger menu. This ID is unique to your account, and will never change.

1 Like

Thanks, that missing piece of the puzzle is enough for me!

1 Like