開始使用
這份文件說明 Webhook 的設定方式,以在每次應用程式用戶對其用戶相片發佈任何變更時通知您。一旦瞭解此 Webhook 的設定方式後,您就能知道如何設定所有 Webhook。
設定任何 Webhook 時,您都必須進行下列動作:
- 在可處理 HTTPS 要求的安全伺服器上建立端點。
- 在應用程式的應用程式主控板中設定 Webhooks 產品。
這些步驟詳述如下。
Create an Endpoint
Your endpoint must be able to process two types of HTTPS requests: Verification Requests and Event Notifications. Since both requests use HTTPs, your server must have a valid TLS or SSL certificate correctly configured and installed. Self-signed certificates are not supported.
The sections below explain what will be in each type of request and how to respond to them. Alternatively, you can use our sample app which is already configured to process these requests.
Verification Requests
Anytime you configure the Webhooks product in your App Dashboard, we'll send a GET request to your endpoint URL. Verification requests include the following query string parameters, appended to the end of your endpoint URL. They will look something like this:
Sample Verification Request
GET https://www.your-clever-domain-name.com/webhooks? hub.mode=subscribe& hub.challenge=1158201444& hub.verify_token=meatyhamhock
| Parameter | Sample Value | Description |
|---|---|---|
|
| This value will always be set to |
|
| An |
|
| A string that that we grab from the Verify Token field in your app's App Dashboard. You will set this string when you complete the Webhooks configuration settings steps. |
Note: PHP converts periods (.) to underscores (_) in parameter names.
Validating Verification Requests
Whenever your endpoint receives a verification request, it must:
- Verify that the
hub.verify_tokenvalue matches the string you set in the Verify Token field when you configure the Webhooks product in your App Dashboard (you haven't set up this token string yet). - Respond with the
hub.challengevalue.
If you are in your App Dashboard and configuring your Webhooks product (and thus, triggering a Verification Request), the dashboard will indicate if your endpoint validated the request correctly. If you are using the Graph API's /app/subscriptions endpoint to configure the Webhooks product, the API will indicate success or failure with a response.
Event Notifications
When you configure your Webhooks product, you will subscribe to specific fields on an object type (e.g., the photos field on the user object). Whenever there's a change to one of these fields, we will send your endpoint a POST request with a JSON payload describing the change.
For example, if you subscribed to the user object's photos field and one of your app's Users posted a Photo, we would send you a POST request that would look something like this:
POST / HTTPS/1.1
Host: your-clever-domain-name.com/webhooks
Content-Type: application/json
X-Hub-Signature-256: sha256={super-long-SHA256-signature}
Content-Length: 311
{
"entry": [
{
"time": 1520383571,
"changes": [
{
"field": "photos",
"value":
{
"verb": "update",
"object_id": "10211885744794461"
}
}
],
"id": "10210299214172187",
"uid": "10210299214172187"
}
],
"object": "user"
}Payload Contents
Payloads will contain an object describing the change. When you configure the webhooks product, you can indicate if payloads should only contain the names of changed fields, or if payloads should include the new values as well.
We format all payloads with JSON, so you can parse the payload using common JSON parsing methods or packages.
We do not store any Webhook event notification data that we send you, so be sure to capture and store any payload content that you want to keep.
Most payloads will contain the following common properties, but the contents and structure of each payload varies depending on the object fields you are subscribed to. Refer to each object's reference document to see which fields will be included.
| Property | Description | Type |
|---|---|---|
| The object's type (e.g., |
|
| An array containing an object describing the changes. Multiple changes from different objects that are of the same type may be batched together. |
|
| The object's ID |
|
| An array of strings indicating the names of the fields that have been changed. Only included if you disable the Include Values setting when configuring the Webhooks product in your app's App Dashboard. |
|
| An array containing an object describing the changed fields and their new values. Only included if you enable the Include Values setting when configuring the Webhooks product in your app's App Dashboard. |
|
| A UNIX timestamp indicating when the Event Notification was sent (not when the change that triggered the notification occurred). |
|
Validating Payloads
We sign all Event Notification payloads with a SHA256 signature and include the signature in the request's X-Hub-Signature-256 header, preceded with sha256=. You don't have to validate the payload, but you should.
To validate the payload:
- Generate a SHA256 signature using the payload and your app's App Secret.
- Compare your signature to the signature in the
X-Hub-Signature-256header (everything aftersha256=). If the signatures match, the payload is genuine.
Responding to Event Notifications
Your endpoint should respond to all Event Notifications with 200 OK HTTPS.
Frequency
Event Notifications are aggregated and sent in a batch with a maximum of 1000 updates. However batching cannot be guaranteed so be sure to adjust your servers to handle each Webhook individually.
If any update sent to your server fails, we will retry immediately, then try a few more times with decreasing frequency over the next 36 hours. Your server should handle deduplication in these cases. Unacknowledged responses will be dropped after 36 hours.
Note: The frequency with which Messenger event notifications are sent is different. Please refer to the Messenger Platform Webhooks documentation for more information.
配置 Webhooks 產品
準備好您的端點或應用程式範例後,使用應用程式的應用程式主控板,新增並設定 Webhooks 產品。除了 Instagram 外,您還可以使用所有 Webhooks 的 /{app-id}/subscriptions 端點,以程式設計的方式執行此操作。
在這個範例中,我們將使用主控板設定 Webhook,以訂閱任何應用程式用戶的任何相片變更。
- 在應用程式主控板中,前往產品 > Webhooks,並從下拉式功能表選擇用戶,然後點擊「訂閱此物件」。
選擇用戶物件。 在回呼網址欄位輸入端點網址,並在驗證權杖欄位輸入字串。我們會在所有驗證要求中包含此字串。如果您使用我們其中一個應用程式範例,這個字串應該與應用程式
如果您希望事件通知承載包含已變更的欄位名稱及其新值,請將包含值切換為是。TOKEN設定變數所使用的字串相同。
輸入端點網址和驗證權杖字串。點擊「驗證並儲存」後,我們會向您的端點傳送驗證要求,您必須驗證才能繼續進行。如果端點成功驗證要求,您應該會看見:
成功驗證。最後一步是訂閱個別欄位。訂閱
photos欄位,並傳送測試事件通知。
訂閱用戶物件上的相片欄位。如果端點設定正確,端點應該會驗證承載,並執行您設定其應在成功驗證後執行的任何程式碼。如果您使用我們的應用程式範例,請在網頁瀏覽器中載入應用程式網址。瀏覽器應該會顯示承載的內容:
顯示測試通知承載的應用程式範例。
Webhooks 的 mTLS
共同 TLS(mTLS)是一種共同驗證的方法。
mTLS 透過驗證雙方都擁有正確的私密金鑰,確保網路連線兩端的雙方都是其所宣稱的身分。其各自 TLS 憑證中的資訊可提供額外的驗證。
如何配置 mTLS
一旦您在 WhatsApp Business 帳號訂閱中啟用 mTLS,Meta 將會顯示用戶端憑證及其簽署的中繼憑證。這兩種憑證皆可用於建立 Webhook 要求向您的伺服器進行的 TLS 交握。您的伺服器之後可以透過信任鏈和通用名稱(CN),驗證這些要求的傳送者身分。
用戶端憑證是由中繼 CA 憑證 DigiCert SHA2 High Assurance Server CA 簽署,然後再由根 CA 憑證 DigiCert High Assurance EV Root CA 簽署。請注意,中繼憑證也會簽署 graph.facebook.com 的憑證:
用戶端憑證驗證
設定用於接收 Webhook 要求的 HTTPS 之後,請完成以下步驟,才能驗證用戶端憑證及其通用名稱 client.webhooks.fbclientcerts.com:
- 安裝根憑證
- 對照根憑證驗證用戶端憑證
- 驗證用戶端憑證的通用名稱(
client.webhooks.fbclientcerts.com)
備註:接收 Webhooks 的伺服器必須使用 HTTPS;為了安全起見,我們一律會驗證來自 HTTPS 伺服器的憑證。
範例
根據伺服器的設定,上述步驟在細節上會有所不同。我們將透過兩個範例進行說明,一個用於 Nginx,另一個用於 AWS 應用程式負載平衡器(ALB)。
Nginx
將根憑證(DigiCert High Assurance EV Root CA)從 DigiCert 下載到伺服器,例如
/etc/ssl/certs/DigiCert_High_Assurance_EV_Root_CA.pem透過 Nginx 指示詞開啟 mTLS(螢幕截圖範例)
ssl_verify_client on; ssl_client_certificate /etc/ssl/certs/DigiCert_High_Assurance_EV_Root_CA.pem; ssl_verify_depth 3;驗證 Nginx 嵌入變數
$ssl_client_s_dn中的 CN 是否等於"client.webhooks.fbclientcerts.com"(螢幕截圖範例)if ($ssl_client_s_dn ~ "CN=client.webhooks.fbclientcerts.com") { return 200 "$ssl_client_s_dn"; }
AWS 應用程式負載平衡器(ALB)
- 將中繼憑證(DigiCert SHA2 High Assurance Server CA)從 DigiCert 下載到 S3 儲存貯體。根憑證未由 AWS 接受,因為該憑證是使用演算法 SHA1withRSA 簽署的,而中繼憑證是使用 SHA256withRSA 演算法簽署的,因此 AWS 接受。
- 在 ALB 上設定 HTTPS 接聽程式,以透過包含 S3 儲存貯體中憑證的信任存放區啟用 mTLS(螢幕截圖範例)。
- 在應用程式程式碼中,從 HTTP 標頭 “X-Amzn-Mtls-Clientcert-Subject” 擷取 CN,並驗證其是否等於
“client.webhooks.fbclientcerts.com”。
後續步驟
現在您已知道如何設定 Webhooks,接下來您可能會想參閱其他文件,以瞭解其他為特定產品設定 Webhooks 的步驟: