How to use WhatsAuth while keeping your endpoint secured
While developing the integration with WhatsAuth you might think that is a risk to enable an endpoint in your system to receive the webhooks. In order mitigate that risk our recomended solution is to implement a key based access control polocy in your endpoint. This way you will be able to reject all the request that don’t provide the right key and only accept the ones properly authenticated.
This suggested solutions relays in your system capacity of authenticating request based on a apiKey
parameter in the query string.
How to set an API Key
If ypu check the API specs you’ll see that every request to get a verification code allow the speceficiation of a callback_url
, for instance: https://mycompany.io/webhook/whatsauth, here you can add some convinient parameters in that URL, not just the host and path. Just like we suggest in the WhatsApp Login Guide you can include an apiKey
param in the URL:
https://mycompany.io/webhook/whatsauth?apiKey=MY-SUPER-SECRET-KEY
This way when WhatsAuth notify your system about the status of the validation it will make a PSOT request to your endpoint including the MY-SUPER-SECRET-KEY value as apiKey
and you could rest assured that the request is authenticated.
What if the Key is Compromised or Revoked
In the unpleaseant event of a key being leaked you should inmidiatly revoked that key in your system and set a new key e.g. NEW-MEGA-SECRET-KEY and also start request the verification code with a new apiKey
param in the callback_url
:
https://mycompany.io/webhook/whatsauth?apiKey=NEW-MEGA-SECRET-KEY
And you will start receiving authenticated webhook again
Architenture Tip: keep the apiKey
as variable in your code to be able to change it rapidly and easy when required.
Remeber that query string parameters can be used for several purposes and can be added using &
for example it’s possible to send a sessionId
and an apiKey
like this: https://mycompany.com/webhook/whatsauth?sessionId=ace9b0d1-bdaa-4a56-8b28-94ad8d6d0f6b&apiKey=MY-SUPER-SECRET-KEY