![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(92.8, 84%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETT%3C/text%3E%3C/svg%3E)
Microsoft Teams | Development
Building, integrating, or customizing apps and workflows within Microsoft Teams using developer tools and APIs
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(105.60000000000001, 84%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EHN%3C/text%3E%3C/svg%3E)
Hi TW Th
Based on your description, I would like to share some information from my research that I hope will be helpful.
Does the sig parameter have an expiration date or validity period?
There is no documented time‑based expiration for the sig parameter. The sig value is the Shared Access Signature (SAS) used to secure the request-based trigger endpoint in Logic Apps–based workflows. While the documentation explains the purpose and structure of this signature, it does not define any expiration time or validity window for it.
If it expires, how can the expiration time be checked?
Because no expiration or lifetime is documented, there is no supported way to check or determine an expiration time for the sig parameter. Unlike Azure Storage SAS tokens (which often include explicit expiry fields), the callback URL generated for request-based triggers does not expose expiration metadata.
Is the webhook URL intended to remain valid indefinitely, or should applications handle renewal?
Based on current documentation and platform behavior, the webhook URL is intended to remain valid indefinitely. There is no requirement for applications to perform periodic renewal of the webhook URL or the sig parameter.
It remains valid unless one of the following occurs:
- The trigger or workflow is deleted and recreated.
- The callback URL is manually regenerated.
- Access is restricted through security controls (for example: IP allowlists, API Management, or Microsoft Entra ID).
Because the sig parameter does not have a documented expiration, it should be managed as a secure token. You can consider applying additional security controls for production scenarios, such as:
- Restricting inbound IP address ranges.
- Using Azure API Management in front of the workflow.
- Using Microsoft Entra ID authentication where supported.
For your reference: Secure access and data in workflows - Azure Logic Apps | Microsoft Learn
I hope this information helps and if you have any further questions, please feel free to ask via comment section.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.