Iparam Storage and network calls from Custom App

We are using iparams in our Freshdesk custom app (serverless). While their values are not visible to anyone with Freshdesk access due to the api_key type, how are these values stored internally? Could there be any potential security issues with this?

Additionally, we are making a call to an external service from within the app using onTicketUpdateHandler. Here’s the code sample for reference. I’d like to know if these calls are server-to-server or browser-to-server. Does the call happen from server whenever a ticket changes or it happens from the browser of agent who makes changes in the ticket?

        const username = args.iparams.username;  
        const password = args.iparams.password;
        const base64Credentials = Buffer.from(`${username}:${password}`).toString('base64');

        const headers = {
          "Content-Type": "application/json",
          "Authorization": `Basic ${base64Credentials}`
        };

        axios.post('our_exposed_endpoint_url', webhookPayload, { headers })
          .then(response => {
            console.log('Assignment Changed Successfully from ' + args['data']['ticket']['changes']["responder_id"][0] + 
                        ' to ' + args['data']['ticket']['changes']["responder_id"][1] + 
                        ' with response: ', response.data);
          })
          .catch(error => {
            console.error('Error occurred while making the POST request:');
            if (error.response) {
              console.error('Status Code:', error.response.status, ' Response Data:', error.response.data);
            }
          });

Lastly, we want to restrict access to our API endpoint so that only Freshdesk servers can hit it. For this, we plan to implement IP whitelisting. How can we find the list of IP addresses used by Freshdesk for the custom app when it is launched?

Hey @Grypton Welcome to the community,

Certainly, I understand your concerns and I’m here to help clarify:

  1. iparams Storage: Rest assured, your iparams values are securely stored and encrypted on Freshdesk servers. They are only accessible to your app’s backend code, minimizing any potential security risks when used properly. Your sensitive data is well-protected.

  2. API Call Nature: The calls made within onTicketUpdateHandler are server-to-server. This means they execute on the server whenever a ticket changes, not from the agent’s browser. So you can be confident that these operations are secure and independent of individual user environments.

  3. API Endpoint Security: I understand the importance of securing your API endpoint. Since IP whitelisting is unreliable due to dynamic IP addresses used by Freshdesk servers, it’s best to implement token-based authentication or API keys. This approach securely restricts access to your endpoint, ensuring only authorized requests from your Freshdesk app are accepted. This method provides a more robust and flexible security measure, giving you peace of mind.

Check out the documentation.

Hey @Debjani, Thank you for the reply.

If in any case, we decide to enable IP whitelisting, would following this guide be sufficient, or are there any updates to it? For e.g. dynamic IP addresses used by FD servers would not go beyond these right?