restauthenticationwebhookswhatsappsmooch
Securing Smooch Webhooks
I use smooch whatsapp integration and smooch webhook to create a bot in whatsapp.
I want to authenticate the posts that come from my webhook.
I saw in the documents that there is a variable in the headers: x-api-key, that should be used exactly for that:
I can not find any explanation of how this variable is used. I realized that it contained the secret key of the webhook. But what else?
How do I create from the data/body another signature to check if it's match to what sent in the header?
Solution
I haven't used Smooch webhooks before, but my reading of their docs leads me to believe the following:
- The
X-Api-Keyisn't the usual webhook signature used to sign the payload. It's actually just a simple secret returned in each webhook POST request for an event. - The secret is automatically generated when you create the webhook and returned in the
secretfield. - You can also get the secret using the GET webhook endpoint. Other methods also appear to return the secret.
- Save the secret somehow, then simply compare the
X-Api-Keyheader value for the secret on each webhook event request to verify authenticity. - You could rotate the secret by programmatically deleting and re-recreating the webhook whenever necessary.
- How to send multiple files in postman ReSTful web service?
- Rest Spring boot converts a response with duplicate object to id of that object
- Post with REST API on Wordpress.com [Error 401, not allowed]
- How to configure JSON deserialization options in .NET minimal API project
- How to update array using PUT API request in Strapi
- Using REST API in Python to run Workflows in Azure Purview
- Conversion API Purchase Event does't work
- Should PUT and DELETE be used in forms?
- Workday: is there an API or other programmatic way to download the output files from an integration event?
- How to find Bitbucket Account UUID?
- Why is django-ninja PUT endpoint not using value from request body but instead is returning the default value for field to be updated (ModelSchema)?
- CORS with spring-boot and angularjs not working
- Restful FedEx Trade Document Upload API - Can't upload signature or letterhead images
- Which datatype to use at JPA entity to store and retrieve date using java 8
- Patch Request in Java Spring Boot nulls ManyToOne
- Is it possible to update an existing Zimbra ZCS contact using the REST API?
- What's the difference between REST & RESTful
- VAT Checker Apps Script
- Meteor server api using iron router returns HTML not the response
- How to return global object from a Rocket REST API?
- How to map this Json with rest template spring boot
- Office 365 REST API - Creating a Contact gives me HTTPCode 400
- Guidance for writing a wrapper for a REST API
- PayPal REST API: Search by BUYER Transaction ID
- Django rest framework where to write complex logic in serializer.py or views.py?
- REST and spring-mvc
- Cookie in Thunder Client VS Code extension
- How to write a generic handler in Go?
- How to make a script to automate taking the GET data from my wordpress site and POST to another server
- How do you set a scenario when doing a restful call in Yii2 to return certain fields