I'm developing a Telegram bot that should send updated to a registered webhook.
The backed is implemented as a Cloud Function, sitting behind an API Gateway (eveyrhting's in Google Cloud Platform).
I want to make sure that only genuine requests come through and noone can abuse the endpoint. For this purpose, a secret_token can be configured for Telegram bot, which will be sent in the X-Telegram-Bot-Api-Secret-Token header with every request coming from this bot.
On the API side I can configure API key security for my API. However, based on the documentation, only x-api-key header name can be used in the Swagger specification (I tested this and, indeed, no other header names work).
So, how could I possibly make it work together? AFAIK, I can't choose a custom name for the secret token header on the Telegram side. In the same way, I can't choose an arbitrary name in the securityDefinitions of the Swagger spec for the API in Google API Gateway.
Are there any possible workarounds here? Maybe there's some "overwrite header" functionality in the Gateway? I tried searching for this, but didn't find anything that could be used. Or, maybe, it's possible to describe a required header value in the Swagger spec? I know that I can require the presence of a particular header, but, AFAIK, I can't require it to match some specific value...
