Clarify how homeservers are meant to auth themselves to appservices

Fixes https://github.com/matrix-org/matrix-doc/issues/1765 Note that the swagger definitions already say that authorization is required. It just wasn't mentioned in the spec.
2026-01-07 16:33:43 +01:00 · 2019-05-27 22:40:07 -06:00 · 2019-05-27 22:40:07 -06:00 · d0fd20fdb4
parent 699cafe670
commit d0fd20fdb4
2 changed files with 9 additions and 0 deletions
--- a/changelogs/application_service/newsfragments/2037.clarification
+++ b/changelogs/application_service/newsfragments/2037.clarification
@ -0,0 +1 @@
+Add missing definition for how appservices verify requests came from a homeserver.
--- a/specification/application_service_api.rst
+++ b/specification/application_service_api.rst
@ -187,6 +187,14 @@ An example registration file for an IRC-bridging application service is below:
 Homeserver -> Application Service API
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

+Authorization
+++++++++++++
+
+Homeservers MUST include a query parameter named ``access_token`` containing the
+``hs_token`` from the application service's registration when making requests to
+the application service. Application services MUST verify the provided ``access_token``
+matches their known ``hs_token``, failing the request with a ``M_FORBIDDEN`` error.
+
 Legacy routes
 +++++++++++++
				`@ -0,0 +1 @@`
				`Add missing definition for how appservices verify requests came from a homeserver.`