2

I use smooch whatsapp integration and smooch webhook to create a bot in whatsapp.

I want to authenticate the posts that come from my webhook.

I saw in the documents that there is a variable in the headers: x-api-key, that should be used exactly for that:

x-api-key

I can not find any explanation of how this variable is used. I realized that it contained the secret key of the webhook. But what else?

How do I create from the data/body another signature to check if it's match to what sent in the header?

Hodaya Shalom
  • 4,327
  • 12
  • 57
  • 111

1 Answers1

4

I haven't used Smooch webhooks before, but my reading of their docs leads me to believe the following:

  • The X-Api-Key isn't the usual webhook signature used to sign the payload. It's actually just a simple secret returned in each webhook POST request for an event.
  • The secret is automatically generated when you create the webhook and returned in the secret field.
  • You can also get the secret using the GET webhook endpoint. Other methods also appear to return the secret.
  • Save the secret somehow, then simply compare the X-Api-Key header value for the secret on each webhook event request to verify authenticity.
  • You could rotate the secret by programmatically deleting and re-recreating the webhook whenever necessary.
dmulter
  • 2,608
  • 3
  • 15
  • 24