Webhook of the week - Twitter

Building support for Twitter webhooks in Hookalu presented me with a unique set of challenges. Initially the implementation looked similar to some of the bigger services I’ve done. Twitter integrations need an authorized app, require webhook validation when the webhook is created, and use a HMAC SHA-256 signature for requests. Digging deeper into the documentation uncovered a rich set of events, a unique API, and no management dashboard for working with webhooks.

The lack of a dashboard is not typical, but Hookalu already provides a nice dashboard interface for managing webhooks for lots of sources. This meant that creating and deleting webhooks was a critical feature for the Twitter integration. Reading more about both the premium and enterprise API endpoints showed this wasn’t your ordinary REST API.

All webhook API requests require tokens and signing conformant with the OAuth 1.0a specification. Submitting valid HTTP requests requires many detailed steps to be precisely performed. The smallest mistake results in an authentication error that can be very difficult to track down. The use of four unique security tokens plus an environment name is also required for proper handling of API requests and webhook validation and signing.

It’s always great to see services that embrace APIs and webhooks for notifications, while taking security very seriously. The use of an older version of OAuth really made our Twitter integration a bit tougher to get right. Let Hookalu help you out if you’re running into similar challenges getting webhooks working with your app.