My guess would me as a sort of "signoff" from the person hosting the JSON that refl.me is approved to use their endpoint. It sidesteps a slew of abuse issues by either knowing it's a feed you own OR a feed you are re-hostings/proxying and so the liability rests with you.

In my mind it's in the same category as google throwing garbage or while(1){} loops at the start of their JSON responses to prevent XSS JSON reflection attacks. I know it's not the same thing at all but idk, thats what comes to mind for me.

EDIT: Of course I think of a better comparison as soon as I hit submit: Sort of like LetsEncrypt looking for a .well-known/acme-challenge to validate your domain.

Yes.

I won't pretend it's "so easy" or anything like that but could you just proxy those requests and add the key yourself? AWS Lambda comes to mind as a cheap/free way to accomplish this with the benefit of letting you modify the data if needed on the fly (or even check against a DynamoDB for history/other rules).

Wouldn’t this defeat one of the benefits of this software, the need to not host your own server (or any backend infrastructure)?

I think the value-add with this service is the notification sending just by exposing an endpoint. I don't see any mention of not needing backend infrastructure (they even call out "connect your web service").

I think this is aimed at people who already are or can expose data via an HTTP endpoint and want notifications when that changes/updates. This includes the wide array of software developers who work on large OS projects that support sending notifications via services like PushBullet/Pushover/etc. Also, presumably, web services would just add a new endpoint with some auth token to easily send push notifications to their users without managing an app and everything else needed (push tokens, certs, GCM/FCM, apns, it can be a headache, trust me).

Personally I see pushover-type services (I use pushover so I'm only speaking from that experience) as more useful since I can "push" out of my networks much easier than a service can "poll" me. That said pushover has always been a little clunky IMHO with trying to get a service to send me notifications. So a simple "Paste this url into the refl.me app to get notifications from us" is a pretty attractive alternative for certain use cases.

I’m curious how many services you want to integrate match the format refl.me expects (namely a JSON object with at least a “message” property).

It seems likely you’d need to proxy most services anyway. With numerous FaaS providers these days that seems trivial.

Proxy them, add the key.

[EDIT] damn, beaten to the punch.