We're Hiring!

Mattermost, Inc.

401 on Mattermost Webhooks

Summary

(Apologies if this is a configuration setting, a duplicate, or expected - have only started seeing this since the update)

It appears that webhooks respond with a 401 if the webhook owner does not have an active session.

Checking for token expiry / generating a new token before a webhook seems to work so far as a fix (even though webhooks don’t use tokens. It also seems that using the login API does not give a token expiry time, and hasn’t for a while)

Steps to reproduce

Mattermost: 5.27.0
Create a new account
Create a new incoming webhook on the account
Use the API to obtain a mattermost token, use the webhook (this should work)
Wait until the token session expires, use the webhook

Expected behavior

Webhook should still work

Observed behavior

Webhook fails with HTTP 401:

{“id”:“api.context.session_expired.app_error”,“message”:“Invalid or expired session, please login again.”,“detailed_error”:"",“request_id”:"…",“status_code”:401}

Hello Nessworthy,

I am looking into the problem. Webhooks should work without any kind of authorization token. Just using the webhook secret.

It would be great if you could give more information about the setup from your integration.

Edit:
If you could provide the API points you are accessing it would be a great help, to completely understand what kind of token are you asking for, and what could be the problem.