[GH-ISSUE #412] [Feature-request] Add validation token to hook and API requests #265

New issue

Closed

opened 2026-03-15 13:32:40 +03:00 by kerem · 4 comments

kerem commented 2026-03-15 13:32:40 +03:00

Owner

Copy link

Originally created by @baiomys on GitHub (Dec 16, 2024).
Original GitHub issue: https://github.com/axllent/mailpit/issues/412

For instance telegram bot API uses X-Telegram-Bot-Api-Secret-Token passed in header.
It is user definable during webhook initialization.

Is it possible to implement same mechanism in API calls and maybe in webhook?
Most of interaction with API occurs on private networks, but sometimes it is necessary to expose REST endpoints.
Currently all path and header validation runs on reverse proxy side, which is a bit inconvenient.

Originally created by @baiomys on GitHub (Dec 16, 2024). Original GitHub issue: https://github.com/axllent/mailpit/issues/412 For instance telegram bot API uses _X-Telegram-Bot-Api-Secret-Token_ passed in header. It is user definable during webhook initialization. Is it possible to implement same mechanism in API calls and maybe in webhook? Most of interaction with API occurs on private networks, but sometimes it is necessary to expose REST endpoints. Currently all path and header validation runs on reverse proxy side, which is a bit inconvenient.

kerem closed this issue 2026-03-15 13:32:45 +03:00

kerem commented 2026-03-15 13:32:51 +03:00

Author

Owner

Copy link

@axllent commented on GitHub (Dec 20, 2024):

Sorry, I'm not ignoring you @baiomys - I've just been recovering after the operation ... and thinking about this. Your question is actually two-fold, first for webhook requests, and secondly incoming API requests. Currently neither is possible using tokens. I'm not saying I won't consider this, I would just like to understand your requirements better, as supporting like this becomes a huge change in how Mailpit works.

Webhooks
From what I can tell, the Telegram API allows a token to be set in either a header, or in the URL. Is there any reason you can't use it in the URL, or do I misunderstand the difference between a secret token and (regular?) token?

API
As far as authentication is (currently) concerned, both the web UI and the API are directly linked, and currently only supports basic authentication. If basic auth is set, then HTTP requests should be made in the form of https://<user>:<pass>@example.com/api/v1/<endpoint>. Can the external bot service not use this syntax?

When it comes to custom integrations (like what I think you are working towards), then you may have to consider a custom self written "proxy service" (PHP, Go, node server etc) that can receive requests from either end and then process / customize the data, and pass that on either way (<Mailpit> <-> <proxy> <-> <Telegram>). This both limits your Mailpit exposure to the internet, and allows you the flexibility to do whatever you like without requiring both ends to communicate directly.

<!-- gh-comment-id:2556266266 --> @axllent commented on GitHub (Dec 20, 2024): Sorry, I'm not ignoring you @baiomys - I've just been recovering after the operation ... and thinking about this. Your question is actually two-fold, first for webhook requests, and secondly incoming API requests. Currently neither is possible using tokens. I'm not saying I won't consider this, I would just like to understand your requirements better, as supporting like this becomes a huge change in how Mailpit works. **Webhooks** From what I can tell, the Telegram API allows a token to be set in either a header, or [in the URL](https://core.telegram.org/bots/api#making-requests). Is there any reason you can't use it in the URL, or do I misunderstand the difference between a secret token and (regular?) token? **API** As far as authentication is (currently) concerned, both the web UI and the API are directly linked, and currently only supports basic authentication. If basic auth is set, then HTTP requests should be made in the form of `https://<user>:<pass>@example.com/api/v1/<endpoint>`. Can the external bot service not use this syntax? When it comes to custom integrations (like what I think you are working towards), then you may have to consider a custom self written "proxy service" (PHP, Go, node server etc) that can receive requests from either end and then process / customize the data, and pass that on either way (`<Mailpit>` <-> `<proxy>` <-> `<Telegram>`). This both limits your Mailpit exposure to the internet, and allows you the flexibility to do whatever you like without requiring both ends to communicate directly.

kerem commented 2026-03-15 13:32:56 +03:00

Author

Owner

Copy link

@baiomys commented on GitHub (Dec 20, 2024):

Thanks for detailed response. Secret token in telegram serve as protection against guessing hook URL and tampering with it.
Entire hook, including this token, can be set at runtime.

https://api.telegram.org/botxxxxxxxxx:yyyyyyyyyyyyyyyyyyyyyyyyy/setWebhook?url=https://domain.tld/tghook/4af3a9903c03f97283e663e878746490&drop_pending_updates=True&max_connections=40&secret_token=49188f1beec02c87d653723975180445189f6a6a8bda509b5a8f75ac73f74e28

Which makes all calls perfectly secure.
Tampering with webhook in MAILPIT can't do any serious harm, so implementing such protection right away is not necessary.

On the other hand tampering with API calls can be a REAL DISASTER.
Pls consider in near future JWT or other protection apart from user:password.
=)

<!-- gh-comment-id:2556375477 --> @baiomys commented on GitHub (Dec 20, 2024): Thanks for detailed response. Secret token in telegram serve as protection against guessing hook URL and tampering with it. Entire hook, including this token, can be set at runtime. https://api.telegram.org/botxxxxxxxxx:yyyyyyyyyyyyyyyyyyyyyyyyy/setWebhook?url=https://domain.tld/tghook/4af3a9903c03f97283e663e878746490&drop_pending_updates=True&max_connections=40&secret_token=49188f1beec02c87d653723975180445189f6a6a8bda509b5a8f75ac73f74e28 Which makes all calls perfectly secure. Tampering with webhook in MAILPIT can't do any serious harm, so implementing such protection right away is not necessary. On the other hand tampering with API calls can be a REAL DISASTER. Pls consider in near future JWT or other protection apart from user:password. =)

kerem commented 2026-03-15 13:33:01 +03:00

Author

Owner

Copy link

@axllent commented on GitHub (Dec 20, 2024):

Whilst I understand what damage can be caused by tampering with API calls, I still don't understand how a token is more secure than basic auth though? Both are transmitted as HTTP headers (client to server), and both a username and password can be as long & complex as you like.

<!-- gh-comment-id:2556618412 --> @axllent commented on GitHub (Dec 20, 2024): Whilst I understand what damage can be caused by tampering with API calls, I still don't understand how a token is more secure than basic auth though? Both are transmitted as HTTP headers (client to server), and both a username and password can be as long & complex as you like.

kerem commented 2026-03-15 13:33:06 +03:00

Author

Owner

Copy link

@axllent commented on GitHub (Dec 20, 2024):

Sorry, I should say that JWT is more secure in that it is time based, however if someone is literally tampering with your HTTPS connection, then you have far bigger problems to worry about.

<!-- gh-comment-id:2556636731 --> @axllent commented on GitHub (Dec 20, 2024): Sorry, I should say that JWT is more secure in that it is time based, however if someone is literally tampering with your HTTPS connection, then you have far bigger problems to worry about.

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

develop

master

v1.29.7

v1.29.6

v1.29.5

v1.29.4

v1.29.3

v1.29.2

v1.29.1

v1.29.0

v1.28.4

v1.28.3

v1.28.2

v1.28.1

v1.28.0

v1.27.11

v1.27.10

v1.27.9

v1.27.8

v1.27.7

v1.27.6

v1.27.5

v1.27.4

v1.27.3

v1.27.2

v1.27.1

v1.27.0

v1.26.2

v1.26.1

v1.26.0

v1.25.1

v1.25.0

v1.24.2

v1.24.1

v1.24.0

v1.23.2

v1.23.1

v1.23.0

v1.22.3

v1.22.2

v1.22.1

v1.22.0

v1.21.8

v1.21.7

v1.21.6

v1.21.5

v1.21.4

v1.21.3

v1.21.2

v1.21.1

v1.21.0

v1.20.7

v1.20.6

v1.20.5

v1.20.4

v1.20.3

v1.20.2

v1.20.1

v1.20.0

v1.19.3

v1.19.2

v1.19.1

v1.19.0

v1.18.7

v1.18.6

v1.18.5

v1.18.4

v1.18.3

v1.18.2

v1.18.1

v1.18.0

v1.17.1

v1.17.0

v1.16.0

v1.15.1

v1.15.0

v1.14.4

v1.14.3

v1.14.2

v1.14.1

v1.14.0

v1.13.3

v1.13.2

v1.13.1

v1.13.0

v1.12.1

v1.12.0

v1.11.1

v1.11.0

v1.10.4

v1.10.3

v1.10.2

v1.10.1

v1.10.0

v1.9.10

v1.9.9

v1.9.8

v1.9.7

v1.9.6

v1.9.5

v1.9.4

v1.9.3

v1.9.2

v1.9.1

v1.9.0

v1.8.4

v1.8.3

v1.8.2

v1.8.1

v1.8.0

v1.7.1

v1.7.0

v1.6.22

v1.6.21

v1.6.20

v1.6.19

v1.6.18

v1.6.17

v1.6.16

v1.6.15

v1.6.14

v1.6.13

v1.6.12

v1.6.11

v1.6.10

v1.6.9

v1.6.8

v1.6.7

v1.6.6

v1.6.5

v1.6.4

v1.6.3

v1.6.2

v1.6.1

v1.6.0

v1.5.5

v1.5.4

v1.5.3

v1.5.2

v1.5.1

v1.5.0

v1.4.0

v1.3.11

v1.3.10

v1.3.9

v1.3.8

v1.3.7

v1.3.6

v1.3.5

v1.3.4

v1.3.3

v1.3.2

v1.3.1

v1.3.0

v1.2.9

v1.2.8

v1.2.7

v1.2.6

1.2.5

1.2.4

1.2.3

1.2.2

1.2.1

1.2.0

1.1.7

1.1.6

1.1.5

1.1.4

1.1.3

1.1.2

1.1.1

1.1.0

1.0.0

1.0.0-beta1

0.1.5

0.1.4

0.1.3

0.1.2

0.1.1

0.1.0

0.0.9

0.0.8

0.0.7

0.0.6

0.0.5

0.0.4

0.0.3

0.0.2

0.0.1-beta

Labels

Clear labels   

awaiting feedback

  

bug

  

docker

  

documentation

  

enhancement

  

github_actions

  

invalid

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

stale

  

wontfix

No labels

awaiting feedback

bug

docker

documentation

enhancement

github_actions

invalid

pull-request

question

stale

wontfix

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/mailpit#265

No description provided.