Meta Admin Center
Getting started with Webhooks for MMA Security Audit Logs.

Webhooks for MMA Security Audit Logs

Webhooks allows you to receive real-time HTTP notifications Security Audit Log updates. This ensures you don't have to query the Graph API for changes to objects that may or may not have happened, and helps you avoid reaching your rate limit.

HTTPS Server

Webhooks are sent using HTTPS, so your server must must be able to receive and process HTTPS requests, and it must have a valid TLS/SSL certificate installed. Self-signed certificates are not supported.

Create an endpoint

This step must be completed before you can subscribe to any webhook fields in the App Dashboard.

Your endpoint must be able to process two types of HTTPS requests: Verification Requests and Event Notifications. Since both requests use HTTPs, your server must have a valid TLS or SSL certificate correctly configured and installed. Self-signed certificates are not supported.

The sections below explain what will be in each type of request and how to respond to them. Alternatively, you can use our sample app which is already configured to process these requests.

Verification Requests

Anytime you configure the Webhooks product in the Admin Center, we'll send a GET request to your endpoint URL. Verification requests include the following query string parameters, appended to the end of your endpoint URL. They will look something like this:

Sample Verification Request

GET https://www.your-clever-domain-name.com/webhooks?
  hub.mode=subscribe&
  hub.challenge=1158201444&
  hub.verify_token=meatyhamhock
ParameterSample ValueDescription

hub.mode

subscribe

This value will always be set to subscribe.

hub.challenge

1158201444

An int you must pass back to us.

hub.verify_token

meatyhamhock

A string that that we grab from the Verification token field when configuring Webhooks in Admin Center.

Note: PHP converts periods (.) to underscores (_) in parameter names.

Validating Verification Requests

Whenever your endpoint receives a verification request, it must:

  • Verify that the hub.verify_token value matches the string you set in the Verification token field when you configure the Webhooks in Admin Center (you haven't set up this token string yet).
  • Respond with the hub.challenge value.

Configuring Webhooks in Admin Center

Follow these steps to enable webhooks in Admin Center.

Create an integration as you would normally, providing a name and description

  1. Go to the Security page.
  2. Then go to the Security Integrations page.
  3. From there click on Add Integration.
  4. Fill in the Name and Description fields and optionally IP address.

From the settings page of your security integration click on the API access tab.

  1. Click on the API access tab.
  2. Enable view security logs and save.
  3. Click on Set up webhook.
  4. Specify the callback URL of your endpoint.
  5. Specify your verification token.
  6. Click on Verify and Save.

Next Steps

Now that you have successfully completed this guide, you will begin to receive Security Audit Logs at your configured end point whenever one is generated.