SDK Dashboard 2.4.0 Release - Securing your Webhook

  • Updated

A webhook delivers data to other applications as it happens, meaning you get data immediately. For security reasons, you probably want to limit requests to those coming from Qiscus. You can do it by generating a webhook signature token. It can ensure the source of the request comes from Qiscus server.


You can secure your webhook by following these steps:

  1. Go to setting menu in SDK dashboard
  2. Add webhook URL
  3. Generate webhook signature token
  4. Validate the payload from Qiscus

Step 1: Go to Setting Menu in SDK Dashboard

First, you need to go to the menu setting in Qiscus SDK Dashboard. You can see the picture below as a reference.


Step 2: Add Webhook URL

Add webhook URL, if webhook URL empty you can’t generate signature token. You can see the picture below as a reference:


Step 3: Generate Webhook Signature Token

After adding the webhook URL, then click Generate New Token to retrieve the signature token from the Qiscus.


if you successfully follow the steps, the results will add the signature token in the request, this an example according to the steps that we have done.


Step 4: Validate Payload from Qiscus

When your signature token is generated, Qiscus uses it to create a hash signature with each payload. This hash signature is passed along with each request in the headers as QISCUS-SDK-SIGNATURE.

The signature token is generated by SHA256. To ensure request from Qiscus, you need to validate that the hash from Qiscus matches with QISCUS-SDK-SIGNATURE. Here an example on how to validate the signature token:

package main
import (
func main() {
payload := `{"payload":{"from":{"avatar_url":"https://image.url/image.jpeg","email":"","id":140220,"id_str":"140220","name":"Qiscus Demo"},...},...}`
// Create a new HMAC by defining the hash type and the key (as byte array)
h := hmac.New(sha256.New, []byte(token))
// Write Data to it
// Get result and encode as hexadecimal string
signature := hex.EncodeToString(h.Sum(nil))
// Do a check or validation, whether the signature comparison you have made is the same as the QISCUS-SDK-SIGNATURE request header that sent by Qiscus
if signature == "QISCUS-SDK-SIGNATURE" { ... }

For further information, you can refer to these docs.

If you got a question about the changes above, please feel free to drop us some feedback at support.


Chat SDK Product Team

Was this article helpful?



Please sign in to leave a comment.