Endpoint

Description

HTTP/HTTPS endpoint hosted on your server for receiving subscription feed events

Requirements

  • Minimally the endpoint needs to support POST requests to be able to received published press releases.

  • Handle that the request body contains a News Item in JSON (or XML) format.

  • Respond with 200 if you correctly received the release. This tells our backend that it doesn't have to retry the request.

Recommended

  • Host the endpoint (callback) at a "hard to guess" URL.

  • Before using the post body, verify the received request using

    • HMAC - see below (if hub.secret was setup during subscribe)

Extras

  • Support GET requests to correctly implement the Subscribe flow.

  • Support "extended events", additional methods ( PUT and DELETE) to handle updates of the existing feed content. Updated press releases (PUT) and deleted/hidden press releases (DELETE).

  • Support the Ping Extension, which optionally pings all parts of your endpoint to make sure that it is still working. This can be useful in a production setup, since it can help us detect errors early, and notify you.

HMAC Verification

Using the secret you provided when you setup the subscription, you can verify the received request content by the following algorithm (pseudo code). Note there are some examples of HMAC verification in actual languages available at Code Samples. Our servers will send the the HMAC signature in the X-Hub-Signature header as described in the WebSub documentation.

received_hmac_sig = http_request.headers().get("X-Hub-Signature")
calced_hmac_sig = hmac_sha256.calc_sig(hub_secret, http_request.body())

if received_hmac_sig == calced_hmac_sig:
  // SUCCESS
  persist(http_request.body())
  return 200 // this signals to use that we don't need to retry this request
else:
  // MALFORMED REQUEST
  return non-200 http status back to use to signal error, can include error msg
PreviousWebSubNextSubscribe (optional)

Last updated