WebHook event delivery Authentication: SAS tokens A Shared Access Signature (SAS) token is a security token that grants delegated, time-limited access to a specific resource. A key feature of a SAS token is its mandatory expiry time, which directly fulfills the question's requirement that the credential "must be invalidated after a specific period of time." By using a time-scoped token, you ensure that even if the credential is compromised, its usability is temporary, significantly enhancing the security posture. In the context of Event Grid, SAS tokens are the standard method for authenticating clients that publish events to a topic.

Topic publishing Type: ValidationCode handshake The ValidationCode handshake is a required security mechanism that Event Grid uses to validate an event subscription's endpoint. When a new subscription to a webhook is created, Event Grid sends a validation request containing a unique validationCode. The endpoint must respond with this same code to prove its ownership and consent to receive events. This one-time handshake prevents the service from sending events to an unintended or malicious endpoint. This is a foundational step in securing the event subscriber before any event data is published or delivered.

Microsoft Azure Documentation, "Authenticate publishing clients to Azure Event Grid": This document details the use of SAS tokens for providing time-scoped, secure access for publishing events.

Source: learn.microsoft.com/en-us/azure/event-grid/authenticate-publishing-clients, Section: "Shared Access Signature (SAS) authentication".

Microsoft Azure Documentation, "Event Grid security and authentication": This official source describes the endpoint validation handshake as a primary security measure for event subscriptions. It states, "Event subscription validation prevents a malicious user from flooding your endpoint with events."

Source: learn.microsoft.com/en-us/azure/event-grid/security-and-authentication, Section: "Endpoint validation".