[Generated by SRE Agent] Clarify identifier security guidance

Co-authored-by: Azure SRE Agent <noreply@microsoft.com>
This commit is contained in:
Azure SRE Agent
2026-06-14 06:27:55 +00:00
Unverified
parent ed4ff188fc
commit 43aaf58821
3 changed files with 16 additions and 0 deletions
@@ -48,6 +48,10 @@ async def handle_approval_response(
| `POST /api/workflow/respond/{instanceId}/{requestId}` | Send human response |
| `GET /api/health` | Health check |
These routes expose workflow status and human-response operations. In production, put them behind your application's authentication and authorization layer and verify that the caller is allowed to inspect or resume the targeted workflow before returning status or accepting a response.
Treat `instanceId` and `requestId` as correlation handles only. They help locate workflow state, but they are not secrets or proof that a caller is authorized to act on that workflow.
### Durable Functions Integration
When running on Durable Functions, the HITL pattern maps to: