立即开始
本文档将介绍如何设置 Webhooks,以便在您应用的用户对其用户照片发布任何更改时通知您。了解如何设置此 Webhooks 后,您就会知道如何设置所有 Webhooks。
设置任何 Webhooks 都需要您执行下列操作:
- 在可以处理 HTTPS 请求的安全服务器上创建端点。
- 在您应用的应用面板中配置 Webhooks 产品。
下文将详细介绍这些步骤。
Create an Endpoint
Your endpoint must be able to process two types of HTTPS requests: Verification Requests and Event Notifications. Since both requests use HTTPs, your server must have a valid TLS or SSL certificate correctly configured and installed. Self-signed certificates are not supported.
The sections below explain what will be in each type of request and how to respond to them. Alternatively, you can use our sample app which is already configured to process these requests.
Verification Requests
Anytime you configure the Webhooks product in your App Dashboard, we'll send a GET request to your endpoint URL. Verification requests include the following query string parameters, appended to the end of your endpoint URL. They will look something like this:
Sample Verification Request
GET https://www.your-clever-domain-name.com/webhooks? hub.mode=subscribe& hub.challenge=1158201444& hub.verify_token=meatyhamhock
| Parameter | Sample Value | Description |
|---|---|---|
|
| This value will always be set to |
|
| An |
|
| A string that that we grab from the Verify Token field in your app's App Dashboard. You will set this string when you complete the Webhooks configuration settings steps. |
Note: PHP converts periods (.) to underscores (_) in parameter names.
Validating Verification Requests
Whenever your endpoint receives a verification request, it must:
- Verify that the
hub.verify_tokenvalue matches the string you set in the Verify Token field when you configure the Webhooks product in your App Dashboard (you haven't set up this token string yet). - Respond with the
hub.challengevalue.
If you are in your App Dashboard and configuring your Webhooks product (and thus, triggering a Verification Request), the dashboard will indicate if your endpoint validated the request correctly. If you are using the Graph API's /app/subscriptions endpoint to configure the Webhooks product, the API will indicate success or failure with a response.
Event Notifications
When you configure your Webhooks product, you will subscribe to specific fields on an object type (e.g., the photos field on the user object). Whenever there's a change to one of these fields, we will send your endpoint a POST request with a JSON payload describing the change.
For example, if you subscribed to the user object's photos field and one of your app's Users posted a Photo, we would send you a POST request that would look something like this:
POST / HTTPS/1.1
Host: your-clever-domain-name.com/webhooks
Content-Type: application/json
X-Hub-Signature-256: sha256={super-long-SHA256-signature}
Content-Length: 311
{
"entry": [
{
"time": 1520383571,
"changes": [
{
"field": "photos",
"value":
{
"verb": "update",
"object_id": "10211885744794461"
}
}
],
"id": "10210299214172187",
"uid": "10210299214172187"
}
],
"object": "user"
}Payload Contents
Payloads will contain an object describing the change. When you configure the webhooks product, you can indicate if payloads should only contain the names of changed fields, or if payloads should include the new values as well.
We format all payloads with JSON, so you can parse the payload using common JSON parsing methods or packages.
We do not store any Webhook event notification data that we send you, so be sure to capture and store any payload content that you want to keep.
Most payloads will contain the following common properties, but the contents and structure of each payload varies depending on the object fields you are subscribed to. Refer to each object's reference document to see which fields will be included.
| Property | Description | Type |
|---|---|---|
| The object's type (e.g., |
|
| An array containing an object describing the changes. Multiple changes from different objects that are of the same type may be batched together. |
|
| The object's ID |
|
| An array of strings indicating the names of the fields that have been changed. Only included if you disable the Include Values setting when configuring the Webhooks product in your app's App Dashboard. |
|
| An array containing an object describing the changed fields and their new values. Only included if you enable the Include Values setting when configuring the Webhooks product in your app's App Dashboard. |
|
| A UNIX timestamp indicating when the Event Notification was sent (not when the change that triggered the notification occurred). |
|
Validating Payloads
We sign all Event Notification payloads with a SHA256 signature and include the signature in the request's X-Hub-Signature-256 header, preceded with sha256=. You don't have to validate the payload, but you should.
To validate the payload:
- Generate a SHA256 signature using the payload and your app's App Secret.
- Compare your signature to the signature in the
X-Hub-Signature-256header (everything aftersha256=). If the signatures match, the payload is genuine.
Responding to Event Notifications
Your endpoint should respond to all Event Notifications with 200 OK HTTPS.
Frequency
Event Notifications are aggregated and sent in a batch with a maximum of 1000 updates. However batching cannot be guaranteed so be sure to adjust your servers to handle each Webhook individually.
If any update sent to your server fails, we will retry immediately, then try a few more times with decreasing frequency over the next 36 hours. Your server should handle deduplication in these cases. Unacknowledged responses will be dropped after 36 hours.
Note: The frequency with which Messenger event notifications are sent is different. Please refer to the Messenger Platform Webhooks documentation for more information.
配置 Webhooks 产品
在您的端点或示例应用准备就绪后,请使用您应用的应用面板添加和配置 Webhooks 产品。您也可以对除 Instagram 以外的所有 Webhooks 使用 /{app-id}/subscriptions 端点,以编程方式执行此操作。
在此示例中,我们将使用面板配置 Webhooks,此 Webhooks 会订阅所有应用用户对照片作出的任何更改。
- 在应用面板中,前往产品 > Webhooks,再从下拉菜单中选择用户,然后点击订阅此对象。
选择用户对象。 在回调网址字段输入端点的网址,并在验证口令字段输入一个字符串。我们会在所有验证请求中加入此字符串。如果您使用其中一个示例应用,则此字符串应该与您在应用的
如果您希望事件通知负载包含已更改字段的名称及其新值,请将包含值切换为是。TOKEN配置变量中使用的字符串相同。
输入端点网址和验证口令字符串。点击验证并保存后,我们将向您的端点发送一个验证请求,而您必须完成验证。如果您的端点成功验证了请求,您应该会看到如下内容:
验证成功。最后一步是分别订阅每个字段。订阅
photos字段并发送测试事件通知。
订阅用户对象的“照片”字段。如果您的端点设置正确,则其应验证负载,并会在验证成功后执行您为其设置的任何代码。如果您在使用我们的示例应用,请在网页浏览器中加载应用网址。画面应该会显示负载内容:
显示测试通知负载的示例应用。
适用于 Webhooks 的 mTLS
双向 TLS (mTLS) 是一种双向身份验证方法。
mTLS 通过确认网络连接每一端的各方都拥有正确的私钥,来确保各方都是他们自己所声称的身份。他们各自 TLS 证书中的信息可提供额外验证。
如何配置 mTLS
如果您在订阅 WhatsApp Business 商业帐号时启用 mTLS,Meta 将提供一个客户端证书及其签名中间证书。这两个证书都用于创建一次与您服务器的 Webhooks 请求 TLS 握手。然后,您的服务器可以通过信任链和通用名称 (CN) 来验证这些请求的发送者身份。
客户端证书由中间 CA 证书 DigiCert SHA2 High Assurance Server CA 签名,然后由根 CA 证书 DigiCert High Assurance EV Root CA 签名。请注意,此中间证书也为 graph.facebook.com 的证书签名:
客户端证书验证
为接收 Webhooks 请求而设置 HTTPS 之后,请完成以下步骤,以验证客户端证书及其通用名称 client.webhooks.fbclientcerts.com:
- 安装根证书
- 对照根证书验证客户端证书
- 验证客户端证书的通用名称 (
client.webhooks.fbclientcerts.com)
注意:接收 Webhooks 的服务器必须使用 HTTPS;我们一直在验证来自您 HTTPS 服务器的证书,以确保安全。
示例
以上步骤的细节会因您服务器的设置而异。我们用两个示例来说明:一个是 Nginx,一个是 AWS 应用程序负载平衡器 (ALB)。
Nginx
将根证书 (DigiCert High Assurance EV Root CA) 从 DigiCert 下载到您的服务器,例如
/etc/ssl/certs/DigiCert_High_Assurance_EV_Root_CA.pem通过 Nginx 指令打开 mTLS(截图示例)
ssl_verify_client on; ssl_client_certificate /etc/ssl/certs/DigiCert_High_Assurance_EV_Root_CA.pem; ssl_verify_depth 3;确认 Nginx 嵌入变量中的 CN
$ssl_client_s_dn等于"client.webhooks.fbclientcerts.com"(截图示例)if ($ssl_client_s_dn ~ "CN=client.webhooks.fbclientcerts.com") { return 200 "$ssl_client_s_dn"; }
AWS 应用程序负载均衡器 (ALB)
- 将中间证书 (DigiCert SHA2 High Assurance Server CA) 从 DigiCert 下载到 S3 存储桶。此根证书未被 AWS 所接受,因为该证书使用算法 SHA1withRSA 来签名;而此中间证书使用 SHA256withRSA 来签名,因此该证书被接受。
- 在 ALB 上配置 HTTPS 监听器,以启用带有信任存储(其 S3 存储桶中包含此证书)的 mTLS(截图示例)。
- 在您的应用程序代码中,从 HTTP 标头“X-Amzn-Mtls-Clientcert-Subject”中提取 CN,并验证其是否等于
“client.webhooks.fbclientcerts.com”。
后续步骤
在掌握了 Webhooks 的设置方法后,您可以查看我们的其他文档,了解为特定产品设置 Webhooks 时所需的额外步骤: