Can anyone confirm the exact requirements for request signing for install/uninstall flows? Unfortunately, I can’t test this before actually submitting the app for review but from the information that I found I’d assume:
- No X-Body-Signature verification in the install request (start of OAuth flow)
- X-Body-Signature verification required in the uninstall request
This means technically, anyone with the install URL can install the app. But only correctly signed requests are accepted for uninstall requests.
Is this correct?