Security for inbound web-hooks - replies and delivery reports

Updated 3 years ago

Many clients ask us how the can ensure security when we push replies and delivery reports over HTTP to their web server.

Here are a few tips:


We recommend that you setup and use https on your server

Verify User ID in the Post Body

We post your user_id with every webhook. The user ID is unique to your account and fixed. You can check the body for this value.

Use the custom_string parameter

When sending the SMS, you can supply a 'custom_string' parameter for each recipient (see the sms/send endpoint). We will pass this back with all replies. You can set this to anything and validate it when we post it back.

Add a token to the request

When setting up the inbound SMS rule, you can add a query string token to the end of your URL.

for example: https://

By adding a token to the end of the URL that only you know, you can verify that the script is coming from us.

Verify Our IP Address

We always post from the same pool of IP addresses. You can verify that it's coming from us.

How Did We Do?

Powered by HelpDocs (opens in a new tab)