Security for inbound web-hooks - replies and delivery reports
Many clients ask us how the can ensure security when we push replies and delivery reports over HTTP to their web server.
Here are a few tips:
We recommend that you setup and use https on your server
Verify User ID in the Post Body
We post your user_id with every webhook. The user ID is unique to your account and fixed. You can check the body for this value.
Use the custom_string parameter
When sending the SMS, you can supply a 'custom_string' parameter for each recipient (see the sms/send endpoint). We will pass this back with all replies. You can set this to anything and validate it when we post it back.
Add a token to the request
When setting up the inbound SMS rule, you can add a query string token to the end of your URL.
for example: https:// yourserver.com/incoming/sms.php?token=Fsk83jdiao2e
By adding a token to the end of the URL that only you know, you can verify that the script is coming from us.
Verify Our IP Address
We always post from the same pool of IP addresses. You can verify that it's coming from us.
We can post your API key
If you prefer, we can post a SHA/MD5 hash of your API key along with the other posted variables. This way you can verify that the post is from us.