Showing results for 
Search instead for 
Did you mean: 
Frequent Visitor

Delete webhook sends different Authorization header than Post (creating webhook)

I am building a custom connector. The security is set to API Key type, which sends a token that user gets in our application. Everything works fine but the problem is on delete webhook action a different type of API key is sent in the authorization header. 

According to documentation here:

"No aditional header is included for the delete webhook call. The same connection used in the connector is also used for the delete webhook call."

The Authotization header in post:
Screenshot 2021-04-12 150353.png

We expect the same type of Auth in delete too but this is what we receive:

Screenshot 2021-04-12 150513.png


We are supposed to receive the same authorization header as post action right? But as you can see a different key is sent. What are we doing wrong?
Here is the swagger parts for post and delete: 


        type: object
            schemaType: {parameter: eventPath}
          operationId: GetSchema
          value-path: schema
            schemaType: {parameterReference: eventPath}
          operationId: GetSchema
          itemValuePath: schema
      description: Schema of the webhook payload from Assently
        '201': {description: Created}
      summary: Case trigger event 2
      description: 'Trigger when:'
      operationId: CaseEventTrigger
      x-ms-trigger: single
      - {$ref: '#/parameters/eventPath_in_query'}
      - name: body
        in: body
        required: false
          type: object
            callbackUrl: {type: string, description: callbackUrl, x-ms-notification-url: true,
              x-ms-visibility: internal, title: ''}
          required: [callbackUrl]
      description: Deletes a webhook
      operationId: DeleteTrigger
      - {name: hookId, in: path, description: ID of the Hook being deleted, required: true,
        x-ms-url-encoding: single, type: string}
        '200': {description: Ok}
      summary: Deletes a webhook
      x-ms-visibility: internal




Accepted Solutions
Frequent Visitor

We finally found out that the problem was the delete url that we sent by Location header had been resolving by http. Fixing it to https solved the problem and we receive the expected token. Make sure your delete url is https. 

View solution in original post


Can you test the delete method just by creating an action to delete an existing webhook? Please make sure the location matches delete action.


"In order for Logic Apps or Power Automate to delete a webhook, the API must include a Location HTTP header in the 201 response at the time the webhook is created. The Location header should contain the path to the webhook that is used with the HTTP DELETE. For example, the Location included with GitHub's response follows this format: <user name>/<repo name>/hooks/<hook ID>."


If this reply answers your question or solves your issue, please ACCEPT AS SOLUTION ☑️. If you find this reply helpful, please consider giving it a LIKE 👍.

Frequent Visitor

we are sending the location header, that's why we receive the delete request in our API that I've shared the Authorization header screenshot of it . When I test the action in Test tab of the connector, everything is fine. We receive the key of user's connection and the custom header that we have set as policy to be sent on requests. But when we delete a flow a different type of Authorization header is sent and also the custom header is missing.

Frequent Visitor

We finally found out that the problem was the delete url that we sent by Location header had been resolving by http. Fixing it to https solved the problem and we receive the expected token. Make sure your delete url is https. 

Advocate II
Advocate II

This issue is still occurring not due to scheme.

We're seeing the same `Key` authorization header in the DELETE request, but all other requests operate correctly using the authentication method defined in the connector.


Our security type is BASIC authentication for our connector.


This feels like a possible security concern, as the credentials passed to the DELETE are not for our application. 


@murshed @Amjed-Ayoub 


Seeing a 401 response for only the DELETE request:


[25/Apr/2022:20:22:44 +0000] "DELETE /webhooks/18 HTTP/1.0" 401 615 "-" "azure-logic-apps/1.0 (workflow d9e2faa860124504aa713d81c66b4d8d; version 08585506906287617235) microsoft-flow/1.0"


Here's a sample of the key we're getting:



Helpful resources

Power Platform Conf 2022 768x460.jpg

Join us for Microsoft Power Platform Conference

The first Microsoft-sponsored Power Platform Conference is coming in September. 100+ speakers, 150+ sessions, and what's new and next for Power Platform.

New Ideas Forum MPA.jpg

A new place to submit your Ideas for Power Automate

Announcing a new way to share your feedback with the Power Automate Team.

MPA Virtual Workshop Carousel 768x460.png

Register for a Free Workshop

Learn to digitize and optimize business processes and connect all your applications to share data in real time.

MPA Licensing.jpg

Ask your licensing questions at the Power Automate AMA!

Join Priya Kodukula and the licensing team, super users and MVPs to find answers to your questions on Power Automate licensing.

Users online (4,608)