Securing Smooch Webhooks
I use smooch whatsapp integration and smooch webhook to create a bot in whatsapp.
I want to authenticate the posts that come from my webhook.
I saw in the documents that there is a variable in the headers: x-api-key, that should be used exactly for that:
I can not find any explanation of how this variable is used. I realized that it contained the secret key of the webhook. But what else?
How do I create from the data/body another signature to check if it's match to what sent in the header?
Solution
I haven't used Smooch webhooks before, but my reading of their docs leads me to believe the following:
- The
X-Api-Keyisn't the usual webhook signature used to sign the payload. It's actually just a simple secret returned in each webhook POST request for an event. - The secret is automatically generated when you create the webhook and returned in the
secretfield. - You can also get the secret using the GET webhook endpoint. Other methods also appear to return the secret.
- Save the secret somehow, then simply compare the
X-Api-Keyheader value for the secret on each webhook event request to verify authenticity. - You could rotate the secret by programmatically deleting and re-recreating the webhook whenever necessary.
- slack custom workflow step response
- Servlet.service() for servlet [dispatcherServlet] in context with path [] threw exception [Handler dispatch failed;
- Why would HTTP content negotiation be preferred to explicit parameters in an API scenario?
- HTTP Status 405 - Method Not Allowed Error for Rest API
- Binance REST API - Placing a PHP Order (POST) via Query String
- Which HTTP response code for "This email is already registered"?
- GET request not supported in custom API in Business Central. "BadRequest_MethodNotAllowed"
- Place API key in Headers or URL
- Access Microsoft Todo List via Rest API
- Groovy POST request with form filling in it
- 415 unsupported media type angular spring boot POST PUT http methods
- What HTTP methods should be chosen in a REST API when no CRUD operations are going to be performed?
- How I return HTTP 404 JSON/XML response in JAX-RS (Jersey) on Tomcat?
- How to properly implement login and token handling from REST endpoint in ASP.NET Core/MAUI Blazor
- TypeError - ctx.request.body is not a function
- How to call another api from same app in spring boot
- 403 Forbidden when introducing authorization on spring boot rest
- Generating REST documentation in a Codeigniter project
- How to access request body when using Django Rest Framework and avoid getting RawPostDataException
- Structuring linked backend queries and storage
- Google Drive REST in iOS
- Http Delete request to django returns a 301(Moved permenantly)
- How do I use StreamedRequest in Dart http library to upload a file?
- Deleting a Pinterest pin via Pinterest API in Objective-C
- How to easy implement 'REST API query language' with Querydsl and Spring Data to filter the entities?
- How to Get All Endpoints List After Startup, Spring Boot
- Protocol Buffer vs Json - when to choose one over the other?
- User authentication in mobile
- CORS - localhost as allowed origin in production
- My rest services relies on an external service. How do I mock it to use on my cucumber tests?