Update secure-webhook-endpoint.md

minwoolee-msft · web-flow · commit bf8ae1e837d7 · 2025-08-13T11:42:06.000-07:00
diff --git a/articles/communication-services/how-tos/call-automation/secure-webhook-endpoint.md b/articles/communication-services/how-tos/call-automation/secure-webhook-endpoint.md
@@ -25,6 +25,8 @@ Azure Communication Services relies on Azure Event Grid subscriptions to deliver
 
 ## Call Automation webhook events
 
+### OpenID Configuration Verification
+
 [Call Automation events](../../concepts/call-automation/call-automation.md#call-automation-webhook-events) are sent to the webhook callback URI specified when you answer a call or place a new outbound call. Your callback URI must be a public endpoint with a valid HTTPS certificate, Domain Name System name, and IP address with the correct firewall ports open to enable Call Automation to reach it. This anonymous public web server could create a security risk if you don't take the necessary steps to secure it from unauthorized access.
 
 ::: zone pivot="programming-language-csharp"
@@ -44,7 +46,17 @@ Azure Communication Services relies on Azure Event Grid subscriptions to deliver
 ::: zone-end
 
 > [!IMPORTANT]
-> Our service uses the default token standard described above. We do not support custom tokens or modified token formats.
+> Our service uses standard JSON Web Token in the authentication header, and only support OpenID Connect (OIDC) JWT validation.
+
+### Query Parameter Token Authentication
+
+Query Parameter Token Authentication is a simple method of securing webhook callbacks by appending a pre-shared secret token to the webhook endpoint URL as a query string parameter. This token acts as a lightweight authentication key, allowing your system to verify that webhook callback events originate from the Call Automation Service.
+
+```
+https://api.example.com/webhook?token=8f2d9c63a7b14d32b53c9e12a1f47fcb
+```
+
+When webhook callback events are received, the Call Automation Service includes the token exactly as you configured (see example above). Upon receiving the request, your system compares the token in the query parameter against a stored, trusted value. Requests without the token, or with an incorrect value, should be rejected.
 
 ## Call Automation WebSocket events
 
