Safety Check in Events

App developer should ensure that event handlers for the app are requested specifically by Bitrix24 and not by illegal parties. For this, when requesting handlers, Bitrix24 sends the additional application_token parameter.

First, the parameter is submitted to the OnAppInstall event handler jointly with authorization data of the user, who installed the app. By using this authorization data, OnAppInstall event handler can ensure the validity of the received access_token, record application_token and verify the received application_token with the saved one in its handlers for other events in the future.

It is especially relevant for the OnAppUninstall event handler, because it does not receive authorization data (the application is already deleted in Bitrix24). That is why, in case of OnAppUninstall, the verification of application_token with the saved value becomes the only way to ensure that the handler is requested specifically by Bitrix24.