When building an integration with monday.com, you'll need to handle authentication. Below are the main authentication flows you will implement:

Verify the authenticity of requests from monday
Authenticate using a short-lived token
Initiate the OAuth flow

Verify the authenticity of requests from monday.com

Your app should validate the Authorization JWT included with each request to ensure that incoming requests are from monday.com.

monday.com signs every outbound request with a JWT (JSON Web Token) in the Authorization header. You can decode this token to extract useful metadata and verify its signature to ensure the request's authenticity.

The JWTs are signed with different secrets depending on the webhook source:

App lifecycle webhooks: Signed using your app's Client Secret
Board webhooks: Signed using your app's Signing Secret

Verify the JWT

You should decode and verify the JWT using a third-party library like jsonwebtoken or pyjwt. Visit jwt.io to browse a list of libraries in different languages.

JWT contents

The JWT contains a JSON object with metadata about the request. It has the following structure:

{
  "accountId": 1825528, // the ID of the account initiating the request
  "userId": 4012689, // the ID of the user triggering the action
  "aud": "https://www.yourserver.com/endpoint", // the expected audience of the token (your app’s endpoint URL)
  "exp": 1606808758, // expiration timestamp of the JWT
  "shortLivedToken": "SHORT_LIVED_TOKEN_HERE", // the short-lived token to authenticate against the monday API
  "iat": 1606808458 // issued-at timestamp of the JWT
}

This JWT will be included every time the monday integration server sends a POST request to your integration app, such as when:

Directing a user to your app's Authorization URL
Subscribing to a custom trigger
Unsubscribing from a custom trigger
Calling your custom action's run URL
Retrieving remote options for a dropdown field
Retrieving remote field definitions for object fields and custom entities

Authenticate using a short-lived API token

During integration runtime, monday will send your app a short-lived API token. This token is included in the Authorization header and is valid for five minutes.

You can use this token to authenticate against the monday API. It will have the same permission scopes as your app. Note that monday.com will only issue a short-lived token if your app's endpoints are secured with HTTPS.

For details on how to use this token for authentication, refer to monday API Authentication.

Initiate the OAuth flow

If your integration needs to authenticate with a third-party system (e.g., for sending data or storing OAuth tokens), you can choose between two options:

Credentials field (recommended): Use if you want to share the same code for workflows and the sentence builder. Learn more about this option in the Credentials field documentation
Authorization URL: Use if everyone goes through the same flow, or if you're using the sentence builder. Learn more in the Authorization URL documentation.