Enterprise Webhooks (Part 1)

So, you’ve finally decided to secure your Webhooks and put an end to all those nasty payloads being sent from malicious sources? Excellent! Securing your MessageMedia Webhooks is a two-part process, the first part consists of creating a public private key pair and the second part is verifying your Webhook by making use of those keys. In this tutorial, we’ll be walking you through the first part which involves sending requests and viewing the different responses received.


Installing Signature Key Management Node.js SDK

You’ll need a code editor such as Sublime Text or Atom. We’ll be using Node.js to develop our app, so you’ll need to make sure you’ve installed it on your machine as well. Now create an empty folder for your project, let’s name it “testApp”. Now, open up your command prompt, cd to the directory and run the following command to install the Signature Key Management SDK:

npm install messagemedia-signingkeys-sdk

Create a pair of keys

We’re going to create a pair of keys – a private and a public one. The private key will be used by MessageMedia to sign the Webhook and the public one will be used by us to verify the signature. Create an index.js file inside that folder and open it up in your editor. Write down the following code.

As you can see, only the public key will be returned in the response. The private key will be held by MessageMedia in its secure data store. The digest is used to hash the message and the supported values for the digest type are SHA224, SHA256, SHA512. The cipher is used to encrypt the hashed message and the supported value for it is RSA.

Notice how the key is enabled status of the key is set to false? Let’s find out how we can change that.

Enable and disable the key

The Signature Key Management API allows you to create multiple pairs of keys, but you can only use one at a time. This is why you need to enable the key that you would like to use.

You can disable the current enabled key using the following code and a successful request will result in a null response.

Get enabled key

You can retrieve the details of the current enabled key (except the public key itself) by calling the following function.

Get signature key list

If you’ve created more than one pair of key, you can view them using this function.

I have two sets of keys under my account which is why it’s showing two responses. You would probably get one if you’re following the exact steps of this tutorial.

Delete a signature key

If you’d like to remove a key from the list, you can do so by running the following code.

To confirm that it was actually deleted, we can call the Get signature key list method to view all the existing keys under our account.

Next Steps

Well done – you’ve learned how to create and manage your keys. Continue reading on how you can verify your Webhooks in Node.js in the second part of this technical article. We’ve also got SDKs in a range of languages including Java and Ruby. You can find the complete list under Resources.