HTTP integration authorization

Hello. Bear with me :slight_smile:

So, I’m using the HTTP integration to send (post) data to my Google firebase app. Over there I’ve exposed an endpoint (serverless function) that gets the POST request and stores data to my cloud firestore database. So far so good.

The issue I have now, well, I’m asking myself how can I prevent everyone out there to hit my REST endpoint and manipulate my data.

One way would be to use JWT tokens, but for that ChirpStack integration would need to send a token to my endpoint so I can verify it. Is the header “add header” functionality under the HTTP integration meant for that?

Supposing what I’m trying to achieve is not doable or not the way to go, how is authorization supposed to be implemented?

Thanks, Marko

You could indeed add additional headers containing a token, which is used at your side to validate if the request actually came from ChirpStack :slight_smile:

1 Like

Hi! I’m trying to do the same, in this case using JWT tokens for the HTTP integration with a DB API. The problem I’m having is that the only way I’ve to configure the headers is specifying a long term token what is no the best approach from the security point of view.

Question is, is there a simple way to be able to renew the tokens in order to be able to change the tokens from time to time automatically?

Any help is welcome. I’m not an expert in JWT thingies.

Thank you in advance!

Hi @nmenoni ,

As far as I’ve studied, that’s right. Only static tokens can be used. It would be quite complex to implement this in AS since it has numerous types of implementations to give an effective support.

If you have a concern about this, I would implement a service on your side, which from time to time would make a request to update the integration token through an integration with the Application Server API (HTTP or GRPC).