Not all APIs are built for 2 way (Request/Response) communication. Many times, there is a need for unsolicited asynchronous messages that originate from the external system and need to send data to Salesforce. Examples of this could be a new order placed in the system that needs to be added to the org, or any other notification of a given event happening. These are most commonly referred to as Webhooks or Callbacks. These are messages that are set up with a Callback URL that points to the specific Salesforce Organization that is expecting it. In order for this to function properly, the receiving system needs to know that this is coming. Nexus provides the centralized hub that allows for this to happen. Since the OAuth2 connection between Nexus and Salesforce has been established for messages that originate from the Salesforce Org, by allowing access to that OAuth2 Refresh Token, then Nexus is able to obtain an Access Token when it gets a valid incoming message so it can be pushed to the correct org. We refer to these Connectors and Functions as 'Listeners'.
If an 'Inbound Only' connector has been installed, there will be an additional option to 'Grant Access' on the 'Nexus Admin' home page. By clicking this button, Nexus will store the org's Refresh Token securely on the Nexus Server so it can retrieve an Access Token and deliver the payload without an 'Outbound' request. Additional security features built in to ensure the request is coming from a legitimate Nexus Partner. These can be things like OAuth2 or Signature based encoding of data, and are dependent on the external system's architecture and capabilities.
Once access has been granted, it can be revoked at any time.
Mapping of 'Inbound Only' events is the same as mapping the Inbound Event of a two way function with one major exception. Since there is no 'OriginatingRecordId' field that identifies the record, if 'Upsert' is selected as the DML type during mapping, then either the Salesforce Id or an External Id MUST be present in the payload and mapped in order for a record to be update. 'Insert' DML Type is always an option if one of these is not present.
While the security method for the callout is primarily handled by IOLITE during the initial setup of a Connector, most Listeners will need to be set up directly with the company that is providing the callbacks, as they will need to have the unique Callback URL. Check the Connector specific instructions for information on who to contact or otherwise how to provide the Callback URL. This will likely take place when establishing the initial API Credentials unique to your account with that provider company.