Forum Academy Marketplace Showcase Pricing Features

Validating Whatsapp Webhooks


In order to validate Whatsapp webhooks I need to get, from the webhook’s json, this header that contains a signature:

The problem is that this endpoint couldn’t be initialized by auto detecting its parameters (including the desired header) because Meta required to return a code that they sent in the first webhook (reading this you can understand better:


In conclusion, the header was not and, apparently, cannot be auto detected by auto initializing the endpoint so I don’t know how to get that string (the signature).

Any suggestions on how to get that header’s string?

1 Like

I’m not sure I understand the roadblock you’re facing. From what I can understand, you already know that the verification header will look like, right?

If that’s the case, you can manually edit the json request data to include that header. If they only need you to return that value to initialize your webhook, just return it. After that you can initialize your endpoint again.

Let me know if I’m not understanding this correctly

1 Like

That’s strange, but I guess I understand. Since there are no workflows running during the autodetect process, then it makes sense.

Instead of using postman, I think you could skip auto detect and just have one workflow action that returns the sha 256 value. You do this by manually recreating the JSON in the request data section, and make sure to recreate the header. I don’t think you need to recreate the whole call, just make sure a body and header exists and that the header is in the correct place.

Then, what you do is have meta send the request and you return the value. Okay, now Meta should be okay with the value you give it. (Note: Meta might want the value INSIDE the sha246={long thing here}. In this case, you’re going to need to use a plug-in or some custom js)

Now, click auto detect data ( note we returned the value of the sha256 code in the previous step, now we are gonna do the real thing). The next time Meta sends a request you will get the real structure of the call!


Thanks for your help @jonah.deleseleuc! In the end, this ended up working:

Yup, that’s what I meant

1 Like

I was wondering if you have any idea about how to do the next step, which is Escaping a string to unicode lowercase hex digits. Please let me know, if possible, thanks!

This topic was automatically closed after 70 days. New replies are no longer allowed.