Inbound webhooks: fast, simple, powerful — and blunt
- Created in minutes; no OAuth dance; perfect for server-to-server flows you control
- The URL is the credential: leak it and someone has your scopes until you rotate
- Tied to the creating user: their permissions, and death on their deactivation — create under a service account, always
- No embedded UI, no app-level event subscriptions
OAuth (local) apps: more machinery, more control
- Access + refresh token lifecycle — short-lived credentials instead of a standing secret
- Granular scopes; not bound to one human user's employment
- Placements: embed tabs and widgets in the portal UI
- App-level event.bind subscriptions that survive personnel changes
- Required path for anything distributable via Bitrix24.market
Our recommendation matrix
One-way lead feed from your website? Webhook, under a service account, with the URL in a secrets manager. Two-way ERP sync running for years? OAuth app — token rotation and user-independence justify the setup cost. Anything with UI inside Bitrix24? App, no choice. Quick internal script? Webhook, then delete it when done. When in doubt for production systems, we default to apps; for prototypes and internal tools, webhooks.