Add to the sendbird webhook docs that "master api key" is needed to decode signature

SamKK · January 22, 2021, 2:54pm

I just spent about an hour debugging why my webhook signature didn’t match, I was using a sub api key rather than the master.

Ability to also reset master api keys would be nice, since we can’t do that, which forces me to use a sub key…

Tyler · January 22, 2021, 3:02pm

Hey @SamKK,

This was discussed to some degree here: Help with authenticating webhook signature - #2 by Jason

I’ll look into getting a note added into the documentation to reflect the requirements.

If you need to reset the master_api key, you can reach out to the support team and we can have it reset for you.

Thanks,
Tyler

SamKK · January 25, 2021, 11:39am

Yeah… it’s just most people will head to the docs rather than look through countless posts - I never even discovered this post when trying to resolve my issue;

If you want, here’s also a PHP(Laravel) snippet if you’d like to add that to the docs for others

public function handle(Request $request): JsonResponse
{
	$signature = $request->header('x-sendbird-signature');
	$body      = $request->getContent();
	//Master API Key stored in Laravel Config
	$apiKey    = config('services.sendbird.api_key');

	$hash = hash_hmac('sha256', $body, $apiKey);

    //Abort the request, since the hash and signature don't match
	if($hash !== $signature){
		abort(401);
	}
    //Do some webhooky things...
}

bneigher · October 21, 2021, 12:41am

@Tyler reminder to get the “You must use the master API key to verify webhook signatures” into the general docs. Just spent the last 2 hours struggling with post body parsers.

Actually - it would be best if we could use a secondary api token. I don’t feel comfortable using the Master token in any of my applications…

Tyler · October 21, 2021, 12:55am

Hey @bneigher,

Thank you for the reminder. The issue we have right now with master vs secondary is that we can only sign with one token. Because the master is more static and can’t be deleted by the customer, its what has been used. I’ll discuss with the team to see if we can implement a method to allow users to determine which token is utilized for auth.

bneigher · October 21, 2021, 12:58am

Yea I get that - maybe in the webhook settings we can set the token used to sign webhook payloads (master selected by default, secondary available as options in the dropdown).

Thanks

Topic		Replies	Views
Which API key is used to sign the payload for is used to authenticate a Sendbird web-hooks "x-sendbird-signature"? FAQs & Guides api-key , x-signature	0	1708	August 12, 2021
Postman Authorization JavaScript sendbird-call , react-js , chatsdk	13	1731	October 8, 2021
Where to retrieve Encryption Key of user	5	1897	January 4, 2021
Need help disabling the auth requirement for files on my sendbird environments API	3	1201	December 28, 2021
Receiving data via sendbird webhook API group-channel	4	1269	May 5, 2022

Add to the sendbird webhook docs that "master api key" is needed to decode signature

Related Topics

Not finding what you need