Webhook request validation - require secret

I’ve written a function in 3rd party services / http service / incoming webhook. My web page can now fetch up-to-date info directly from MongoDB Atlas, and display it.

I required a secret - the video said to avoid the possibility of DoS attack.

But the secret shows up as a query string in Chrome Developer Tools if you look at Network. Is this something not worth worrying about?

The secret will be visible in dev tools, same like passwords, they are all stored as plain text on the client, but when they are transferred over the network it will use TLS (https) so you dont need to worry about that. In this case a secret will be visible as params, so its always visible. However I would not use secret to secure your API, instead use JWT private key and send the key in the header and have realm verify this key. with yor private key stored with realm.

By the way can you link the video you saw?

I dont work for MONGODB, but i think this might be a way to solve it, i am trying to do it for myself right now as i have our own jwt auth system currently.

let me know how you proceed. or if realm team members has any advice would like them to chime in.

  1. Why use secret to secure the http urls? they are passed as params and are not a good way to secure your apis
  2. if we are using our own custom jwt, how can we pass in our jwt in the header and have realm functions check the header, verify, decode and allow or deny access.


Thanks for your reply. I’m a self-taught hobbyist at the moment, hoping to learn enough over a few years of tinkering with personal projects. So I’ll look into what you’ve mentioned, thanks.

The video was this one: Create a Data Enabled API in 10 Minutes with MongoDB Realm - YouTube