Webhooks Overview

LAST EDIT Aug 03 2021

By using webhooks, you can tightly integrate your server application with Stream Chat. The platform supports three kinds of webhooks: Push, Before-Message-Send, and Custom Commands. All of them follow the common set of rules:

  • Webhook should be reachable from the public internet. Tunneling services like Ngrok are supported

  • Webhook should accept HTTP POST requests with JSON payload

  • Webhook should respond with response codes from 200 to 299

  • Webhook should respond as fast as possible. The exact time given for the response varies between webhook types

  • Webhook should be ready to accept the same call multiple times: in case of network or remote server failure Stream Chat could retry the request (behavior varies between webhook types)

All webhook requests contain these headers:

Name

Description

Example

X-Webhook-Id

Unique ID of the webhook call. This value in consistent between retries and could be used to deduplicate retry calls

123e4567-e89b-12d3-a456-426614174000

X-Webhook-Attempt

Number of webhook request attempt starting from 1

1

X-Api-Key

Your application’s API key. Should be used to validate request signature

a1b23cdefgh4

X-Signature

HMAC signature of the request body. See Signature section

ca978112ca1bbdcafac231b39a23dc4da786eff8147c4e72b9807785afee48bb

Security and Performance

Copied!

We highly recommend following common security guidelines to make your webhook integration safe and fast:

  • Use HTTPS with a certificate from a trusted authority (eg. Let's Encrypt)

  • Verify the "X-Signature" header

  • Support HTTP Keep-Alive

  • Be highly available

  • Offload the processing of the message if possible (read, store, and forget)

Webhook types

Copied!

Stream Chat supports several webhook types:

Type

Description

Push

Push webhook is useful when you want your server application to receive all important events happening in the Stream Chat

Before Message Send

This webhook allows you to modify or moderate message content before sending it to the chat for everyone to see

Custom Commands

This webhook reacts to custom /slash commands

Please consult with corresponding pages to choose the webhook type that best fits your needs

Signature

Copied!

All HTTP requests can be verified as coming from Stream (and not tampered by a 3rd party) by analyzing the signature attached to the request. Every request includes an HTTP header called "X-Signature" containing a cryptographic signature of the message. Your webhook endpoint can validate that payload and signature match:

If your application uses more than one API Key, you can use the HTTP Header X-Api-Key to match the signature to the correct secret. Stream will always use the most recently created API Key to sign payloads.

Configuration

Copied!

You can configure your webhook endpoints in the Stream Chat Dashboard or by using server-side SDK client:

Also, webhooks could be configured using our CLI client:

See the CLI introduction for more information on the Stream CLI.

Whitelisting Stream Domains

Copied!

If you are maintaining a whitelist of servers allowed to connect to your app, you will need to add Stream's servers to that whitelist for Webhooks to work.

US-East

Az

eip

Primary

us-east-1b

34.225.10.29/32

Secondary

us-east-1c

34.198.125.61/32

Tertiary

us-east-1e

52.22.78.160/32

Quaternary

us-east-1d

3.215.161.238/32

EU-west

Az

eip

Primary

eu-west-1a

52.212.14.212/32

Secondary

eu-west-1b

52.17.43.232/32

Tertiary

eu-west-1c

34.241.110.177/32

Sydney

az

eip

Primary

ap-southeast-2a

54.252.193.245/32

Secondary

ap-southeast-2b

13.55.254.141/32

Tertiary

ap-southeast-2c

3.24.48.104/32

mumbai

az

eip

Primary

ap-south-1a

65.1.48.87/32

Secondary

ap-south-1b

15.206.221.25/32

Tertiary

ap-south-1c

13.233.48.78/32

Singapore

az

eip

Primary

ap-southeast-1a

13.229.11.158/32

Secondary

ap-southeast-1b

52.74.225.150/32

Tertiary

ap-southeast-1c

52.76.180.70/32