Sink routes — inbound webhooks
A special resource type that Corteza supports is system sink (
system:sink) that is used to respond to API requests.
You can use the sink route to implement webhooks; for example, the OAuth flow.
This document focuses mainly on the HTTP request handling. Script invocation and execution are covered in the extensions section.
Each sink URL must be signed for security purposes. The signature is generated based on the parameters (path and constraints) and salted with the JWT secret.
Refer to the CLI command for details.
Corteza will provide alternative ways of securing sink URLs.
When an HTTP request triggers a script, we are unable to determine who is the invoking user.
Because of this, you need to specify the invoking user for the security context (the
See how security context works in automation scripts.
The HTTP request handler validates the request and converts it into a sink request.
check if the signature is provided,
check if the signature is valid,
check if enforced constraints match the request parameters:
maximum body size, and so on.
If the above validation passes, the request becomes a sink request and is processed as any other event.
The sink processor takes the HTTP request and converts it into an event that can trigger automation script on the Corredor server.
The most important thing to note here, is that there are slight deviations based on the content-type of the request.
When the request indicates an email (
OnReceive system mail (
system:mail) event is raised.
Any other case, the
OnRequest system sink (
system:sink) event is raised.
The sink processor also constructs the proper response (headers and body) based on the request.