Validate outbound event notifications (legacy)

❗ ImportantThe shared credentials option described in this topic is deprecated as of December 1, 2020 and is no longer be available for new product integrations. Integrations that were created with shared credentials prior to that date continue to work. For enhanced security, AppDirect recommends that you use the separate credentials type for applications, and that you migrate existing products that use shared credentials to separate credentials. For more information about deprecation, see Product lifecycle phases.

All outgoing requests from AppDirect to a software vendor are signed with that vendor's OAuth 1.0 credentials. Vendors must verify these signatures to ensure that requests originate from AppDirect. This is important to note because several subscription and user-related API calls trigger event notifications from AppDirect to the vendor. Non-interactive requests sent between AppDirect and the vendor contain an OAuth signature in the Authorization header. Interactive requests, where the user is redirected to the vendor, contain a signature in the URL parameters.