Webhooks Verification [Solved]




I’m currently using the beta Account Activity API. Every DM to my account triggers a POST request to the registered webhook URL. Is there a recommended way to verify the incoming requests to verify that they are coming officially from Twitter?



There’s information on the Challenge Response Check in the documentation - is that what you need?


Ahh, it’s under the Validating the Signature Header section. Thanks!

Another question, I have been trying to produce the hash for validation and have not been able to produce the same one as the x-twitter-webhooks-signature header.

I used the same method as I am for generating the hash for the Challenge Response Check token. But instead of hashing the crc_token in this line:

sha256_hash_digest = hmac.new(APP_CONSUMER_SECRET, msg=crc_token, digestmod=hashlib.sha256).digest()

The crc_token is now the request body string:

{"direct_message_events":[{"type":"message_create","id":"902632971999428611","created_timestamp":"1504039445291","message_create":{"target":{ ... the rest is truncated

Is this the correct method for generating the validation hash?


Problem solved

I had to use the raw string of the body of the POST request to generate the hash. What didn’t work before for me was that the body was automatically converted to a JSON obj and I had to stringify the JSON which did not result in the same string as the original payload that is sent with the POST request. Thank you for your help again!

Validating the Webhook Signature Header in Node.js