Skip to content

Trello Webhook Callback Token

Service Name: Trello

Service Description: Trello is a web-based, Kanban-style list-making application that is a subsidiary of Atlassian. It is used for project management and task organization through boards, lists, and cards.

Service Address: https://trello.com/

Validation Type: API Auth

IP Allow list: Does not exist

Secret Access Scope: Grants access to receive webhook notifications from Trello boards, lists, cards, or other Trello objects. The token allows verification that webhook callbacks are genuinely from Trello.

Secret Revokement URL: https://developer.atlassian.com/cloud/trello/guides/rest-api/webhooks/

Secret Example: e5e25aa97d9a3e5b52dddd818e5f209f3453ac3bc7f1d8a1ecd3d5d76d7a94bf

Suspicious Activity Investigation Instructions:

  • Review the webhook configurations in your Trello Power-Up or application settings
  • Check the Trello API logs for unusual webhook activity
  • Monitor for unauthorized changes to webhook destinations
  • Verify that webhook callbacks are being sent to the expected endpoints
  • Review your application logs for any unexpected webhook processing

Mitigation Instructions:

  • Delete the compromised webhook through the Trello API using a DELETE

request to https://api.trello.com/1/webhooks/{id}

  • Create a new webhook with a fresh callback URL and token
  • Update your application to use the new webhook token for verification
  • Implement additional security measures such as IP filtering if possible
  • Consider implementing HMAC verification for webhook payloads
  • Review and update your secret management practices to prevent future

exposures