I see the user agent on the open messaging webhook's payload as "User-Agent": "undefined/591 (messaging-connector-open-outgoing-sqs-message)"
Is that good source of information to consider that the message is from authenticated source? (i.e. messaging-connector-open text?)
I understand user agent is also very thin. Are there any other better recommendations on this?
FYI, I understand the HMAC to verify but I would not want to process any data just because the header is available so thinking an additional level of restriction will save and hence this question.
User-Agent is not a recommended source of information and is likely to be fluid and change over time. HMAC is the only 100% accurate way to verify the source of the call but if you are looking for a light 2nd layer check that you could do. We do have an Ip range entry under https://developer.genesys.cloud/organization/utilities-apis#get-api-v2-ipranges but this should not be necessary if you are doing HMAC.
Thank you very much for sharing the details.
I get details as below
"service": "open-messaging" and IP CIDR.
Very useful and I can utilize this.
Any recommended frequency to check for changes in the IP range? or will the same be notified as part of releases?
(I do not see any notification/event published on change - if I am missed, please share)