開始使用
本文件會說明如何設定 Webhooks,以便在您的應用程式用戶為其用戶相片發佈任何變更時通知您。當您明白如何設定此 Webhooks 後,便知道如何設定所有 Webhooks。
設定任何 Webhooks 時,您都需要執行以下操作:
- 在安全的伺服器上建立可處理 HTTPS 要求的端點。
- 在您應用程式的應用程式管理中心中配置 Webhooks 產品。
下文將詳細說明這些步驟。
Create an Endpoint
Your endpoint must be able to process two types of HTTPS requests: Verification Requests and Event Notifications. Since both requests use HTTPs, your server must have a valid TLS or SSL certificate correctly configured and installed. Self-signed certificates are not supported.
The sections below explain what will be in each type of request and how to respond to them. Alternatively, you can use our sample app which is already configured to process these requests.
Verification Requests
Anytime you configure the Webhooks product in your App Dashboard, we'll send a GET request to your endpoint URL. Verification requests include the following query string parameters, appended to the end of your endpoint URL. They will look something like this:
Sample Verification Request
GET https://www.your-clever-domain-name.com/webhooks? hub.mode=subscribe& hub.challenge=1158201444& hub.verify_token=meatyhamhock
| Parameter | Sample Value | Description |
|---|---|---|
|
| This value will always be set to |
|
| An |
|
| A string that that we grab from the Verify Token field in your app's App Dashboard. You will set this string when you complete the Webhooks configuration settings steps. |
Note: PHP converts periods (.) to underscores (_) in parameter names.
Validating Verification Requests
Whenever your endpoint receives a verification request, it must:
- Verify that the
hub.verify_tokenvalue matches the string you set in the Verify Token field when you configure the Webhooks product in your App Dashboard (you haven't set up this token string yet). - Respond with the
hub.challengevalue.
If you are in your App Dashboard and configuring your Webhooks product (and thus, triggering a Verification Request), the dashboard will indicate if your endpoint validated the request correctly. If you are using the Graph API's /app/subscriptions endpoint to configure the Webhooks product, the API will indicate success or failure with a response.
Event Notifications
When you configure your Webhooks product, you will subscribe to specific fields on an object type (e.g., the photos field on the user object). Whenever there's a change to one of these fields, we will send your endpoint a POST request with a JSON payload describing the change.
For example, if you subscribed to the user object's photos field and one of your app's Users posted a Photo, we would send you a POST request that would look something like this:
POST / HTTPS/1.1
Host: your-clever-domain-name.com/webhooks
Content-Type: application/json
X-Hub-Signature-256: sha256={super-long-SHA256-signature}
Content-Length: 311
{
"entry": [
{
"time": 1520383571,
"changes": [
{
"field": "photos",
"value":
{
"verb": "update",
"object_id": "10211885744794461"
}
}
],
"id": "10210299214172187",
"uid": "10210299214172187"
}
],
"object": "user"
}Payload Contents
Payloads will contain an object describing the change. When you configure the webhooks product, you can indicate if payloads should only contain the names of changed fields, or if payloads should include the new values as well.
We format all payloads with JSON, so you can parse the payload using common JSON parsing methods or packages.
We do not store any Webhook event notification data that we send you, so be sure to capture and store any payload content that you want to keep.
Most payloads will contain the following common properties, but the contents and structure of each payload varies depending on the object fields you are subscribed to. Refer to each object's reference document to see which fields will be included.
| Property | Description | Type |
|---|---|---|
| The object's type (e.g., |
|
| An array containing an object describing the changes. Multiple changes from different objects that are of the same type may be batched together. |
|
| The object's ID |
|
| An array of strings indicating the names of the fields that have been changed. Only included if you disable the Include Values setting when configuring the Webhooks product in your app's App Dashboard. |
|
| An array containing an object describing the changed fields and their new values. Only included if you enable the Include Values setting when configuring the Webhooks product in your app's App Dashboard. |
|
| A UNIX timestamp indicating when the Event Notification was sent (not when the change that triggered the notification occurred). |
|
Validating Payloads
We sign all Event Notification payloads with a SHA256 signature and include the signature in the request's X-Hub-Signature-256 header, preceded with sha256=. You don't have to validate the payload, but you should.
To validate the payload:
- Generate a SHA256 signature using the payload and your app's App Secret.
- Compare your signature to the signature in the
X-Hub-Signature-256header (everything aftersha256=). If the signatures match, the payload is genuine.
Responding to Event Notifications
Your endpoint should respond to all Event Notifications with 200 OK HTTPS.
Frequency
Event Notifications are aggregated and sent in a batch with a maximum of 1000 updates. However batching cannot be guaranteed so be sure to adjust your servers to handle each Webhook individually.
If any update sent to your server fails, we will retry immediately, then try a few more times with decreasing frequency over the next 36 hours. Your server should handle deduplication in these cases. Unacknowledged responses will be dropped after 36 hours.
Note: The frequency with which Messenger event notifications are sent is different. Please refer to the Messenger Platform Webhooks documentation for more information.
配置 Webhooks 產品
在您的端點或範例應用程式準備就緒後,請使用您應用程式的應用程式管理中心來新增及配置 Webhooks 產品。您亦可透過適用於所有 Webhooks(Instagram 除外)的 /{app-id}/subscriptions 端點,透過程式輔助的方式完成操作。
在本例子中,我們將使用管理中心來配置 Webhooks,且此 Webhooks 會訂閱您應用程式任何用戶之相片的任何變更。
- 在應用程式管理中心,前往「產品」>「Webhooks」,然後從下拉式選單中選擇「用戶」,再點擊「訂閱此物件」。
選擇相關用戶物件。 在「回呼網址」欄位中輸入端點網址,並在「驗證憑證」欄位中輸入字串。我們會在所有驗證要求中加入此字串。如果您正在使用我們其中一個範例應用程式,則此字串應該就是您用於自家應用程式
如果您希望事件通知裝載包含已更改欄位的名稱及其新值,請將包含數值切換為是。TOKEN配置變數的同一組字串。
輸入端點網址和驗證憑證字串。點擊驗證並儲存後,我們便會傳送驗證要求給您的端點,而您必須驗證此要求。如果您的端點成功驗證了要求,您應該會看到以下畫面:
驗證成功。最後一個步驟是訂閱個別欄位。訂閱
photos欄位,並傳送測試事件通知。
訂閱用戶物件的相片欄位。如果您的端點設定正確,它應該會驗證裝載,並會在驗證成功後,執行您為其設定的任何程式碼。如果您正在使用我們的範例應用程式,請在網頁瀏覽器中載入應用程式網址。畫面應該會顯示裝載內容:
顯示測試通知裝載的範例應用程式。
適用於 Webhooks 的 mTLS
雙向 TLS(mTLS)是一種雙向驗證的方法。
mTLS 透過驗證網絡連線兩端的雙方是否均擁有正確的私人密鑰,確保雙方與其所聲稱的身分相符。各自的 TLS 憑證中的資訊提供了額外的驗證資料。
如何配置 mTLS
當您在 WhatsApp Business 帳戶訂閱中啟用 mTLS 後,Meta 會提供一個用戶端憑證及其簽署的中級憑證。這兩種憑證均會在 Webhooks 要求的 TLS 合作過程中,向您的伺服器提供。然後,您的伺服器可以透過信任鏈和一般名稱(common name,CN)驗證這些要求的傳送者身分。
用戶端憑證由中級 CA 憑證(DigiCert SHA2 High Assurance Server CA)簽署,再由根 CA 憑證(DigiCert High Assurance EV Root CA)簽署。請注意,中級憑證亦會簽署 graph.facebook.com 的憑證:
用戶端憑證驗證
設定 HTTPS 來接收 Webhook 要求後,請完成以下步驟來驗證用戶端憑證及其一般名稱 client.webhooks.fbclientcerts.com:
- 安裝根憑證
- 根據根憑證驗證用戶端憑證
- 驗證用戶端憑證的一般名稱(
client.webhooks.fbclientcerts.com)
備註:接收 Webhooks 的伺服器必須使用 HTTPS;為安全起見,我們一律會驗證來自您 HTTPS 伺服器的憑證。
範例
視乎您伺服器的設定,上述步驟的細節各不相同。讓我們以兩個例子作說明,分別針對 Nginx 和 AWS 應用程式負載平衡器(ALB)。
Nginx
將根憑證(DigiCert High Assurance EV Root CA)從 DigiCert 下載到您的伺服器,例如
/etc/ssl/certs/DigiCert_High_Assurance_EV_Root_CA.pem透過 Nginx 指令開啟 mTLS(範例螢幕截圖)
ssl_verify_client on; ssl_client_certificate /etc/ssl/certs/DigiCert_High_Assurance_EV_Root_CA.pem; ssl_verify_depth 3;確認 Nginx 內嵌變數
$ssl_client_s_dn中的 CN 是否等於"client.webhooks.fbclientcerts.com"(範例螢幕截圖)if ($ssl_client_s_dn ~ "CN=client.webhooks.fbclientcerts.com") { return 200 "$ssl_client_s_dn"; }
AWS 應用程式負載平衡器(ALB)
- 將中級憑證(DigiCert SHA2 High Assurance Server CA)從 DigiCert 下載到 S3 儲存貯體。根憑證以演算法 SHA1withRSA 簽署,因此不獲 AWS 接受;中級憑證以 SHA256withRSA 簽署,因此可獲接受。
- 在 ALB 上配置 HTTPS 接聽程式,以透過 S3 儲存貯體中包含憑證的信任存放區啟用 mTLS(範例螢幕截圖)。
- 在您的應用程式程式碼中,從 HTTP 標頭「“X-Amzn-Mtls-Clientcert-Subject”」中擷取 CN,並確認是否等於「
“client.webhooks.fbclientcerts.com”」。
後續步驟
既然您已知道如何設定 Webhooks,不妨參閱其他文件,了解為特定產品設定 Webhooks 時所涉及的額外步驟: