Getting 401 Invalid API Key response from FreshCRM Webhook

stevemc · November 25, 2024, 9:22am

I am trying to call a Freshsales CRM App’s Webhook. I am getting a 401 response with “Invalid API Key” message.

The API call I’m making is:

curl --location 'https://hooks.freshworks.com/******F_RoNAk1-' \
--header 'Content-Type: application/json' \
--header 'Authorization: ••••••' \
--data '{ "test": "this" }'

The same Authorization header works for other Freshsales CRM REST API calls. Just not the webhook.

Any ideas?

Bene_Immanuel · November 25, 2024, 10:45am

Hi @stevemc,

Could you please explain more about this?

And @Freddy, your thoughts on this?

Thank you.

stevemc · November 26, 2024, 4:46am

Thanks for looking into this. I’m not sure what else I can provide that would be useful. I can add this:

The webhook is for a custom app I wrote that we use within our company
I need to call the webhook from a script we have running in AWS.
I have a postman API definition to call the webhook for the same custom app that I created long ago. I am pretty sure it used to work then but seems it does not work now.
I am sure the token is correct. When I use the very same token in other FreshCRM REST API calls (i.e. Get Contact) the call succeeds
The curl shown above is taken from my Postman API definition. It fails with 401 in postman just like it does from my script
I obtained the webhook URL/path from the renderData() API call on my custom app so I’m pretty confident it is correct. The thing is, if I just edit the webhook URL to invalidate it, I also get a 401 / Invalid API Key.

I’m not including the actual webhook URL here since I think it may expose security vulnerability if I do. Let me know if that is not the case and you need to see it in order to assist.

p.s. It would be nice if the App documentation for webhook provided an example of calling the webhook from curl so people could be sure they are calling the API correctly.

stevemc · November 26, 2024, 4:04pm

Looks like the issue was user error. When I copied the webhook URL from the app log, I did not click “Show more”. It seemed like the URL was complete since it did not fill the 2nd line but turns out there were more characters.

After copying the full webhook URL its all working as expected.

p.s. I also realized (I think I recall this to be the case) that the webhook call does not require a freshworks token / Authentication header. I removed it and still the API returns success true. Security thru obscurity

curl --location 'https://hooks.freshworks.com/****qe8I88-*****' \
--header 'Content-Type: application/json' \
--data '{ "test": "this" }'

system · December 2, 2024, 10:04pm

This topic was automatically closed 6 days after the last reply. New replies are no longer allowed.