Securing webhooks

Once your server is configured to receive payloads, it'll listen for any payload sent to the endpoint you configured. For security reasons, you probably want to limit requests to those coming from TextMaster. There are a few ways to go about this. For example, you could opt to allow requests from TextMaster's IP address but a far easier method is to set up a secret token and validate the information.

Setting your secret token

You'll need to set up your secret token in two places: on TextMaster when setting up the webhook URL and your server.

To set your token on TextMaster, simply include the token in the callback URL either globally on the user account or on specific resources. Use a random string with high entropy to generate your token. You can use the following ruby command for example:

ruby -rsecurerandom -e 'puts SecureRandom.hex(20)'

You can then include your secret token as an URL parameter of your choice. For example:

curl "https://api.textmaster.com/v1/clients/users/USER_ID" \
     -X PUT \
     -H "Authorization: Bearer ACCESS_TOKEN" \
     -H "Content-Type: application/json" \
     -d '
     {
       "user": {
         "callback": {
           "word_count_finished": {
             "url": "https://example.com/payload?token=6f90f415ca54b100c3e9d24fdf2988cbb0815f5d"
           }
         }
       }
     }
     '