Merge pull request #2037 from matrix-org/travis/1.0/appservice-hs-token

Clarify how homeservers are meant to auth themselves to appservices
2025-12-26 10:58:38 +01:00 · 2019-05-28 12:56:28 -06:00 · 2019-05-28 12:56:28 -06:00 · 76829ad988
parent a8f61697d1 e2da3728a0
commit 76829ad988
2 changed files with 10 additions and 0 deletions
--- a/changelogs/application_service/newsfragments/2037.clarification
+++ b/changelogs/application_service/newsfragments/2037.clarification
@ -0,0 +1 @@
+Add missing definition for how appservices verify requests came from a homeserver.
--- a/specification/application_service_api.rst
+++ b/specification/application_service_api.rst
@ -187,6 +187,15 @@ An example registration file for an IRC-bridging application service is below:
 Homeserver -> Application Service API
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

+Authorization
+++++++++++++
+
+Homeservers MUST include a query parameter named ``access_token`` containing the
+``hs_token`` from the application service's registration when making requests to
+the application service. Application services MUST verify the provided ``access_token``
+matches their known ``hs_token``, failing the request with a ``M_FORBIDDEN`` error
+if it does not match.
+
 Legacy routes
 +++++++++++++
				`@ -0,0 +1 @@`
				`Add missing definition for how appservices verify requests came from a homeserver.`