Endpoint

Description

HTTP/HTTPS endpoint hosted on your server for receiving subscribed feed events

Requirements

  • Minimally the endpoint needs to support POST requests to be able to received published press releases.

  • Handle that the request body contains a News Item in JSON (or XML) format.

  • Respond with 200 if you correctly received the release. This tells our backend that it doesn't have to retry the request.

Recommended

  • Support GET requests to correctly implement the Subscribe flow.

  • Host the endpoint (callback) at a "hard to guess" URL.

    • For example: https://site.se/news/mfn-sink/j40sk6kfj43lgkr

  • Before using the post body, verify the received request using

    • HMAC - see below (if hub.secret was setup during subscribe)

HMAC Verification

Using the secret you provided when you setup the subscription, you can verify the received request content by the following algorithm (pseudo code). Note there are some examples of HMAC verification in actual languages available at Code Samples. Our servers will send the the HMAC signature in the X-Hub-Signature header as described in the WebSub documentation.

received_hmac_sig = http_request.headers().get("X-Hub-Signature")
calced_hmac_sig = hmac_sha256.calc_sig(hub_secret, http_request.body())

if received_hmac_sig == calced_hmac_sig:
  // SUCCESS
  persist(http_request.body())
  return 200 // this signals to use that we don't need to retry this request
else:
  // MALFORMED REQUEST
  return non-200 http status back to use to signal error, can include error msg
PreviousWebSub / Webhook / PosthookNextSubscription

Last updated