APLYiD Credit Bureau; add Webhook Callback Authorisation

finPOWER Connect now supports the Bearer Token Authentication method in webhook callbacks from APLYiD.

NOTE: Whilst this may provide some level of extra protection, we strongly recommend using a firewall and whitelisting the APLYiD API endpoint.

To use, open the APLYiD portal and configure Webhooks

• Open the APLYiD portal https://app.aply.co.nz/portal/agent/admin/api
• Expand the Preferences menu and click on the Developers page
• On the right-hand side of this page there is the "Web hook configuration" section
• Amend the "Auth method" to "Bearer token" and define your token

In finPOWER, under Cost Centres, APLYiD page, Credentials tab enter the same Bearer Token as above.

NOTE: Leave blank to disable the Bearer Token authentication.

Now, whenever a webhook callback is received, finPOWER Connect will validate that the correct Bearer Token is included.

WARNING: If a webhook callback is received that does not match the expected Bearer Token, finPOWER Connect will return an unathorised/ failure response. If the callback is from APLYiD, they will retry using their normal retry periods. It is important that these failures are quickly rectified, as APLYiD will only retry a certain number of times up to approximately 12 hours after the initial failure.If a callback is rejected due to an Authentication failure, the finPOWER Web Service will create a UserLog record linked to the ServiceLog for the original APLYiD request. That User Log will be assigned to the user that requested the verification. The UserLog item, along with an Alert to highlight it, will also appear on the APLYiD verification summary page. It is removed from the page after the verification completes.