Reputation: 742
Mailgun Webhook Access
We're currently implementing Mailgun's webhook to convert an email reply to a reply in a comment thread in our application. We set up a route to match the recipient and set the action to store(notify="https://example.com/example-endpoint"). Mailgun POSTs data to the given endpoint where we then process the message and add it to the application comment thread.
My question is this:
How do I lock down the endpoint so that Mailgun is the only entity that can post here? Is there a list of IPs that I can whitelist? Is there a special key that they send that I can validate against the private API key?
Upvotes: 3
Views: 1199
Answers (1)
Reputation: 742
I found my own answer in the documentation. I should have read the documentation more closely.
The "Securing Webhooks" section under https://documentation.mailgun.com/user_manual.html#webhooks says:
To ensure the authenticity of event requests, Mailgun signs them and posts the signature along with other webhook parameters.
I had to compare the signature value in the payload to a SHA256 HMAC hash of timestamp and token using the api key as the HMAC key.
For example:
$_POST['signature'] === hash_hmac('sha256', $_POST['timestamp'] . $_POST['token'], 'example-api-key);
Upvotes: 2
Related Questions
- Mailchimp Webhooks API v3
- How to forward incoming mail to an HTTP endpoint?
- Mailgun webhook incoming payload is empty
- Tracking email campaign opens with mailgun tags
- Mailchimp Api Webhooks
- Pushing MailGun webhook onto AWS SQS
- Mailgun webhooks and live/staging server setup
- Mailgun send via HTTP API doesn't seem to send
- passing data to mailgun webhooks in laravel
- Mailgun: Is there a way to retrieve a stored message a webhook call gave up on?