What are the request signing requirements for install/uninstall flow?


Can anyone confirm the exact requirements for request signing for install/uninstall flows? Unfortunately, I can’t test this before actually submitting the app for review but from the information that I found I’d assume:

  • No X-Body-Signature verification in the install request (start of OAuth flow)
  • X-Body-Signature verification required in the uninstall request

This means technically, anyone with the install URL can install the app. But only correctly signed requests are accepted for uninstall requests.

Is this correct?


Hey @tobi - yeah, exactly right. The install URL kicks off the OAuth flow whereby users have to sign in and approve via Intercom - the difference is that the uninstall URL is simply sent a webhook payload when someone uninstalls, and thus the signature is sent here as anybody could ping this URL :+1: