Webhooksの利用を始める

このドキュメントでは、アプリの利用者がユーザー写真の変更を公開したときに通知を受け取るためのWebhookの設定方法について説明します。このWebhookの設定の仕方を理解すれば、すべてのWebhooksを設定できるようになるでしょう。

Webhookを設定するには、次のことを行う必要があります。

HTTPSリクエストを処理できるセキュアサーバーにエンドポイントを作成する。
アプリのアプリダッシュボードでWebhooks製品を構成する。

これらのステップについては、以下で詳しく説明します。

エンドポイントを作成する

This step must be completed before you can subscribe to any webhook fields in the App Dashboard.

Your endpoint must be able to process two types of HTTPS requests: Verification Requests and Event Notifications. Since both requests use HTTPs, your server must have a valid TLS or SSL certificate correctly configured and installed. Self-signed certificates are not supported.

The sections below explain what will be in each type of request and how to respond to them. Alternatively, you can use our sample app which is already configured to process these requests.

認証リクエスト

Anytime you configure the Webhooks product in your App Dashboard, we'll send a GET request to your endpoint URL. Verification requests include the following query string parameters, appended to the end of your endpoint URL. They will look something like this:

Sample Verification Request

GET https://www.your-clever-domain-name.com/webhooks?
  hub.mode=subscribe&
  hub.challenge=1158201444&
  hub.verify_token=meatyhamhock

Parameter	Sample Value	Description
`hub.mode`	`subscribe`	This value will always be set to `subscribe`.
`hub.challenge`	`1158201444`	An `int` you must pass back to us.
`hub.verify_token`	`meatyhamhock`	A string that we grab from the Verify Token field in your app's App Dashboard. You will set this string when you complete the Webhooks configuration settings steps.

Note: PHP converts periods (.) to underscores (_) in parameter names.

Validating Verification Requests

Whenever your endpoint receives a verification request, it must:

Verify that the hub.verify_token value matches the string you set in the Verify Token field when you configure the Webhooks product in your App Dashboard (you haven't set up this token string yet).
Respond with the hub.challenge value.

If you are in your App Dashboard and configuring your Webhooks product (and thus, triggering a Verification Request), the dashboard will indicate if your endpoint validated the request correctly. If you are using the Graph API's /app/subscriptions endpoint to configure the Webhooks product, the API will indicate success or failure with a response.

イベントの通知

When you configure your Webhooks product, you will subscribe to specific fields on an object type (e.g., the photos field on the user object). Whenever there's a change to one of these fields, we will send your endpoint a POST request with a JSON payload describing the change.

For example, if you subscribed to the user object's photos field and one of your app's Users posted a Photo, we would send you a POST request that would look something like this:

POST / HTTPS/1.1
Host: your-clever-domain-name.com/webhooks
Content-Type: application/json
X-Hub-Signature-256: sha256={super-long-SHA256-signature}
Content-Length: 311

{
  "entry": [
    {
      "time": 1520383571,
      "changes": [
        {
          "field": "photos",
          "value":
            {
              "verb": "update",
              "object_id": "10211885744794461"
            }
        }
      ],
      "id": "10210299214172187",
      "uid": "10210299214172187"
    }
  ],
  "object": "user"
}

Payload Contents

Payloads will contain an object describing the change. When you configure the webhooks product, you can indicate if payloads should only contain the names of changed fields, or if payloads should include the new values as well.

We format all payloads with JSON, so you can parse the payload using common JSON parsing methods or packages.

You will not be able to query historical webhook event notification data, so be sure to capture and store any webhook payload content that you want to keep.

Most payloads will contain the following common properties, but the contents and structure of each payload varies depending on the object fields you are subscribed to. Refer to each object's reference document to see which fields will be included.

Property	Description	Type
`object`	The object's type (e.g., `user`, `page`, etc.)	`string`
`entry`	An array containing an object describing the changes. Multiple changes from different objects that are of the same type may be batched together.	`array`
`id`	The object's ID	`string`
`changed_fields`	An array of strings indicating the names of the fields that have been changed. Only included if you disable the Include Values setting when configuring the Webhooks product in your app's App Dashboard.	`array`
`changes`	An array containing an object describing the changed fields and their new values. Only included if you enable the Include Values setting when configuring the Webhooks product in your app's App Dashboard.	`array`
`time`	A UNIX timestamp indicating when the Event Notification was sent (not when the change that triggered the notification occurred).	`int`

Validating Payloads

We sign all Event Notification payloads with a SHA256 signature and include the signature in the request's X-Hub-Signature-256 header, preceded with sha256=. You don't have to validate the payload, but you should.

To validate the payload:

Generate a SHA256 signature using the payload and your app's App Secret.
Compare your signature to the signature in the X-Hub-Signature-256 header (everything after sha256=). If the signatures match, the payload is genuine.

Responding to Event Notifications

Your endpoint should respond to all Event Notifications with 200 OK HTTPS.

Frequency

Event Notifications are aggregated and sent in a batch with a maximum of 1000 updates. However batching cannot be guaranteed so be sure to adjust your servers to handle each Webhook individually.

If any update sent to your server fails, we will retry immediately, then try a few more times with decreasing frequency over the next 36 hours. Your server should handle deduplication in these cases. Unacknowledged responses will be dropped after 36 hours.

Note: The frequency with which Messenger event notifications are sent is different. Please refer to the Messenger Platform Webhooks documentation for more information.

Webhooks製品を構成する

エンドポイントまたはサンプルアプリの用意ができたら、アプリのアプリダッシュボードを使ってWebhooks製品を追加し、構成します。プログラムを使用して同じ操作をすることもできます。その場合には、Instagram以外のすべてのWebhooksに対して/{app-id}/subscriptionsエンドポイントを使います。

この例では、ダッシュボードを使って、アプリの利用者の写真に加えられた変更をフォローするWebhookを構成します。

アプリダッシュボードの[製品] > [Webhooks]に移動し、ドロップダウンメニューから[ユーザー]を選択し、[このオブジェクトをフォローする]をクリックします。
ユーザーオブジェクトを選択します。
[コールバックURL]フィールドにエンドポイントのURLを、[トークンの確認]フィールドに文字列を入力します。この文字列はすべての確認リクエストに含まれます。いずれかのサンプルアプリを使用している場合は、アプリのTOKEN構成変数に使った文字列と同じ文字列にしてください。
イベントのお知らせペイロードに、変更されたフィールドの名前だけでなく新規の値も含める場合は、[値を含める]を[Yes]に切り替えます。
エンドポイントURLと確認トークン文字列を入力します。
[確認して保存]をクリックすると、エンドポイントに確認リクエストが届くので、必ず確認してください。エンドポイントがリクエストの確認に成功すると、以下が表示されます。
確認成功。
最後のステップで、フィールドを個別にサブスクリプション登録します。photosフィールドをフォローし、テストイベント通知を送信します。
ユーザーオブジェクトのPhotosフィールドをフォローします。
エンドポイントが正しく設定されると、ペイロードが検証され、検証成功時に実行するよう設定されたコードが実行されます。サンプルアプリを使っている場合は、アプリのURLをウェブブラウザーで読み込んでください。ペイロードのコンテンツが次のように表示されます。
テスト通知ペイロードを表示しているサンプルアプリ。

mTLS for Webhooks

Mutual TLS (mTLS) is a method for mutual authentication.

mTLS ensures that the parties at each end of a network connection are who they claim to be by verifying that they both have the correct private key. The information within their respective TLS certificates provides additional verification.

How to configure mTLS

Once you enable mTLS on your subscription to WhatsApp Business Account, Meta will present a client certificate together with its signing intermediate certificate. Both certificates are used to create a TLS handshake of Webhook requests to your server. Your server then can verify the sender’s identity of these requests by the trust chain and the common name (CN).

The client certificate is signed by an intermediate CA certificate, DigiCert SHA2 High Assurance Server CA, and then by a root CA certificate, DigiCert High Assurance EV Root CA. Note that the intermediate certificate also signs the certificate for graph.facebook.com:

Client Certificate Verification

After setting up HTTPS for receiving Webhook requests, complete the following steps to verify the client certificate and its common name client.webhooks.fbclientcerts.com:

Install the root certificate
Verify the client certificate against the root certificate
Verify the common name (client.webhooks.fbclientcerts.com) of the client certificate

Note: Servers receiving Webhooks must be using HTTPS; and we are always verifying the certificate from your HTTPS server for security.

Example

Depending on your server’s setup, the above steps vary in details. We illustrate by two examples, one for Nginx and one for AWS Application Load Balancer (ALB).

Nginx

Download the root certificate (DigiCert High Assurance EV Root CA) from DigiCert to your server, e.g. /etc/ssl/certs/DigiCert_High_Assurance_EV_Root_CA.pem

Turn on mTLS by Nginx directives (example screenshot)

ssl_verify_client       on;
ssl_client_certificate  /etc/ssl/certs/DigiCert_High_Assurance_EV_Root_CA.pem;
ssl_verify_depth        3;

Verify the CN from Nginx embedded variable $ssl_client_s_dn equals "client.webhooks.fbclientcerts.com" (example screenshot)
```
if ($ssl_client_s_dn ~ "CN=client.webhooks.fbclientcerts.com") {
    return 200 "$ssl_client_s_dn";
}
```

AWS Application Load Balancer (ALB)

Download the intermediate certificate (DigiCert SHA2 High Assurance Server CA) from DigiCert to a S3 bucket. The root certificate is not accepted by AWS because it is signed using algorithm SHA1withRSA; while the intermediate certificate is signed using SHA256withRSA thereby accepted.
Configure the HTTPS listener on the ALB to enable mTLS with the trust store containing the certificate in the S3 bucket (example screenshot).
In your application code, extract the CN from the HTTP header “X-Amzn-Mtls-Clientcert-Subject”, and verify it equals “client.webhooks.fbclientcerts.com”.

次の��テップ

これでWebhooksの設定方法が理解できました。特定の製品のWebhooksの設定に関連するその他のステップについて補足するドキュメントを参照したい方は、以下をご覧ください。