Since apparently you're not reachable for API questions via email, I guess I'd have to put all the questions in here since it would be tedious to create one for each of them.
So we're planning on creating a webhooks system for our integrations to create a better experience for our users. There are a few pieces that are missing for our end to support having a Podio integration that runs 100% on webhooks.
Support organization level webhooks instead at the space level.
Send full object payload in the webhooks push so we don't need to fetch the resource again. Or at least provide a delta of changes.
Have a secret token header that you send with each request so we can assure the authenticity of the data (that it's actually from Podio and it's not someone trying to hack our system).
Github does a great job with this: https://developer.github.com/webhooks/#delivery-headers.
Ability to unsubscribe from a webhook if the client revokes the OAuth credentials. Do you automatically delete that webhook or do we need to contact the user or you guys to get rid of it?
Trello for instance deletes all webhooks associated with a token if it's revoked or a second option is our server sends a 410 Gone back and the webhook, well you guessed it, it's gone.
Do you think something like this is feasible in the near future?
Thanks for your insights :)
Seems pretty valid point. Are there any particular org operations that you are interested to have webhooks for? Can you also describe some use-cases for org level webhooks?
Sending full object payload is pretty complicated because items in Podio can be extremely big and it might be not needed for webhook to get all details. That's why we keep it small and tiny and let Podio partners build own complicated solutions based on webhooks.
Secret token is not much needed if there is only item_id sent in webhook. Let's review it on item modified scenario.
1) User (or anything else) modifies item
2) item.modified webhook is triggered with item_id
3) 3rd party app receives webhook
4) 3rd party app makes a call to Podio API (if it's needed) and gets all required information from Podio API
So, if webhook request is fake, then Podio API will return same item details and nothing is affected. If you want to have some extra layer of security: why not making webhook URL unique and specific to webhook? Then only Podio will know which URL to use to trigger this webhook.
Ability to unsubscribe from a webhook if the client revokes the OAuth credentials.
Sorry, but I don't understand your question. Can you please re-phrase it as new StackOverflow question?
Related
I am implementing subscriptions to a premium service on a website using Paypal as the payment service. I have successfully created a Catalog Product and Billing Plan through the API, and I am able to get to the payment page on Paypal, but it's not clear how I'm supposed to persist a user identifier through the purchase process.
I assumed it would be something along the lines of passing a user id somewhere, but there's nothing in the Paypal documentation about this. I need to be able to let the user make a purchase and have the Paypal webhook send the confirmation to an endpoint on my site, and that's where I'd expect to get their user id to toggle the subscription on their account on my end.
Is there something I'm missing? There has to be a way to do this cause I'd imagine it's a pretty common use case. If anyone has information or has done this before, I'd love to hear. Thanks.
The only truly secure way I've found when using javascript SDK, is to securely generate a unique custom_id on your server side associated with the user.
Then when you create the buttons, the 'createSubscription' function takes custom_id as a parameter.
Then use a webhook to receive events from your subscription and the custom_id will be present in the body of all BILLING.SUBSCRIPTION events under resource.custom_id.
I am able to get to the payment page on PayPal,
You are vague about what you are doing here. There are multiple ways (and some ways have multiple versions) of accepting subscriptions via PayPal, so it is important that you provide full details about the method you are using.
The time to associate a created subscription ID with a user ID is when it is approved, in the onApprove function if you are using a Smart Payment Button: https://developer.paypal.com/docs/subscriptions/integrate/#4-create-a-subscription
I have successfully set up a DM bot with the Account Activity API. Everything works very well, except that sometimes the message sent to the bot (through the Twitter's web interface or mobile application) doesn’t fire a webhook to my server. The messages could be quick replies responses or plain text.
The reason is obviously not a downtime of my server since I tried to make a conversation between 2 webhook registered users (so my server receive the webhooks for both users) and for the same message sent, I have successfully received the webhook of the sender (the user) but not for the recipient (the bot).
As the bot isn’t in production yet, the reason is not an overload of messages. There is currently only 2 users that make conversations. From my experience, around 10% of messages are "lost".
I'm using the free (sandbox) Account Activity API tier, but as I understand the only differences between the free and paid versions are a higher number of subscriptions (I'm fine with 15) and the “Retries” feature. Regarding this feature, it is specified that “The Account Activity API provides a retry feature when the client’s web app does not return a ‘success’ 200 response for an account activity webhook event.”
It clearly states that the event failure concerns the client’s side, not the Twitter side. Considering this issue (my server doesn't receive the webhook at all), there is no guarantee that every event will be delivered even if in a paid plan.
This is a big inconvenience for bots since a button can only be clicked once, so the user must retry the conversation from the beginning (besides the fact that the bot "doesn't work"...)
So my questions are :
Is anyone here experience this issue ?
Is this a “bug or a feature” of the free Account Activity API ? I mean, at random the free tier doesn't fire the webhook on purpose (even if it's not specified in the docs) ?
Is there a way to see or measure the webhook failures Twitter side, via the dashboard for instance ?
A guess is that the events could be more accurate if the account is verified (with a blue badge) or hit a followers number threshold ? The treatment could be different due to the potential surge of events, so they are monitored with more ressources, thus more reliable ?
I already create a topic in the official Twitter forum and there is at least one other person in the same case, but no official answer from Twitter so far.
Thanks a lot !
BR,
Simon
I've got an official answer from Twitter :
Unfortunately it is not possible to achieve 100% delivery rate when there is only 1 delivery attempt for an event, which is why we have retries (and even then, retries are not a guarantee either). Things can go wrong; maybe internal issues in Twitter Data Centers, routing issues in the internet, hosting issues at your webhook, etc.
So from the time being, it seems that there's not way to have a 100% success delivery when you build a bot on Twitter.
Full answer can be read here.
While creating a webhook for Shopify 'Order creation' event, how can I filter the data that is sent in the POST request JSON? It tends to send all the data by default, which includes lots of customer information which I don't want to share with the webhook. I couldn't find any option in the Admin dashboard.
Shopify just sends the whole order. If you want to limit that you could write your own webhook receiver and then filter and re-post the filtered data.
Some really low cost infrastructure for that would be an AWS Lambda function.
Rewind has a nice post showing the AWS setup needed for that which posts the webhooks to a queue to serialize downstream processing and handle spikes. You should be able to leverage their example to filter and there are tons of examples of how to post the filtered data on the internet.
Shopify webhooks are HTTPS. That means the payload is encrypted from prying eyes. Secondly, the webhook endpoint you create can inspect that security as Shopify includes authentication tokens.
So whether a webhook contains data you want or do not want, there is no sharing of that information with anyone. It is up to you to not share once you receive it. But that has zero to do with Shopify or the webhooks.
So I am testing out Dialogflow and one of the first questions I have is: how does my bot know who it is talking to? I need to identify a user and keep that information for as long as I can. The basic scenario being:
User starts his/her first conversation.
Chatbot send a fulfillment request to the server trying to match a user within its own database.
The user is found, the information (as a JWT or some other token) is sent back to Dialogflow and stored there for further communication. In reality, this part would involve asking for user email, sending a verification code to that email and then verifying the user with the code.
User then starts chatting with a bot and all fulfillment requests get the unique token stored for this very user, so that my REST API knows which user is being served with the response.
Couldn't find anything about it in the docs (maybe I am looking in the wrong places).
There will be several integrations, like Messenger, Viber, Telegram. I dunno, maybe those APIs add some unique information on the user?...
Thanks for the help!
Sorry, I know it's been a while, but maybe this will help someone else.
The right solution here is a user id, not a session id. A user id is provided by the chat platform (Facebook, Slack etc) and is consistent across sessions for the same user.
To get the user id, go to the Fulfillment tab, enable the editor and use a function like so:
let r = request.body.originalDetectIntentRequest
//this makes sure that you're on an integration
if (r["source"]){
return r.payload.data.sender.id;
}
To tie together ids from different platforms, you probably have to have some kind of log-in process every time you encounter a new id on a platform.
Pop,
Sessions are built in already into DialogFlow requests to your fulfilment service, if you check the payload you will find a sessionId, it remains the same for the same client until it expires.
However if you want to identify the user from any of the clients that you can connect to DialogFlow like Messenger then from the same request payload to you you will notice that there is an object named originalRequest that is only available when requests are coming from those clients.
You can personalize those users response eg using their FB firstname in a message to them.
Reading almost the whole API reference of paypal, i am almost sure that they do not provide any kind of API method regarding donations. However i would like to check whether someone donates something to my paypal account and get some details of this transaction.
I thought of using the Activities Search REST API, however it was responding with -> "No permission for the requested operation" while i was testing it with my sandbox business account.
Anyone got any idea of how to claim this details? Do i missing something?
My last thought, was to use gmail API's to read the incoming emails that i am receiving (from paypal) when i got a donation, however i believe it's not a good solution, so its my last choice.