Login/Register
The Callback URL or Verify Token couldn't be validated. Please verify the provided information or try again later
Asked Answered
amazon-ec2amazon-route53lets-encryptfacebook-messenger-bot
R

11

11

I have been following the facebook bot setup guide and have setup a callback url that is running on an EC2 instance.

I am getting an error (see title of this) when trying to validate the callback url and verify token.

https://360.finance:1337/webhook is my webhook and the verify token is the same in my environment variable and in my facebook setting.

I set up SSL using LetsEncrypt and from what I can tell, the SSL is not showing as self signed so it looks to be working correctly (please note I'm new to all of this)

Checked at https://www.ssllabs.com/ssltest/analyze.html?d=360.finance&hideResults=on and all looks correct.

I have also included the facebook page token as an environment variable and included in my index.js file

I have tested netcat / telnet into that port on my ec2 ip and it is succeeding

Rehash answered 5/3, 2020 at 11:56 Comment(2)
For anyone with the same challenge. The fix was to set express.js up as https. The facebook bot article doesn't mention this in the setup.Rehash
I have the same problem. Based on what logged in my server, it even didn't call my url. But when I test my url, it works in browser.Denominate
E
14

You must return an http response of the hub.challenge token as a plain text.

Economize answered 23/8, 2022 at 17:22 Comment(5)
Why they doesn't mention that clearly?!Diocese
The call from verify webhook even not reach my website. My url webhook url works fine in browser. The only think I suspect is I'm using the self-signed certificate. Is this the cause?Denominate
I use let's encrypt and it works fine. It's not supposed to be an issue with self signed certificates.Economize
in my case it uses hub_challenge (with underscore instead of dot)Laaspere
Just to clarify the obvious, hub_challenge is not a string value, but an input parameter available in the incoming request. You return it like return response(request('hub_challenge')); in Laravel for example.Pomander
B
5

We need to update the following on Facebook app settings page before adding The Callback URL or Verify Token.

  1. Privacy Policy URL
  2. Category
  3. App Icon (1024*1024)

Its weird that facebook doesn't point our exact error.

Bibliotheca answered 28/7, 2020 at 16:12 Comment(1)
I update all 3. Still facing the same issueUyekawa
T
5

Do not use ngrok or localtunnel. I tried both, with no luck.

If you really want your local dev server to authenticate - you can port forward over ssh to your public faced server.

ssh -R 4000:localhost:4000 root@your-server-ip

This way you can setup nginx to reverse proxy 443 to 4000 and handle ssl with certbot

sample config for nginx reverse proxy (before running certbot)

server {
    server_name my-own-domain;
    root /usr/share/nginx/html;
    index index.html index.htm;
    listen 80;

location / {
    proxy_pass http://localhost:4000/;
  }
}

So you "only" need:

  • Your own domain
  • Your own server
  • nginx
  • certbot
  • SSH Server

And now you have your own private ngrok replacement

Tsana answered 14/12, 2022 at 16:36 Comment(3)
Why would they deny ngrok? Such a bad dev experienceTitration
No idea. It feels like they want to raise the bar and let only medium to large enterprise to use the API.Tsana
You saved my day!Cucullate
L
1

check you callback server, if it is running or not ?

the callback and token comes from your server.

Loughlin answered 2/3, 2022 at 5:50 Comment(0)
G
1

For python users you need to use a dot not underscore. I don't get it when I use the underscore version Facebook API cant access challenge but when I replicate the same GET request with postman I can access the challenge.

# Wrong way
challenge = request.GET['hub_challenge']

# Right way
challenge = request.GET['hub.challenge']
return HttpResponse(challenge)
Grubbs answered 10/11, 2022 at 19:51 Comment(0)
C
0

After 2-3 hour debugging, my case was returning "\"1412656657\"" instead of "1412656657".

Fixed with returning the value inside Content()

public ContentResult Get()
{
    // validate token
    // get hub.challenge from query string
    var hubChallenge = Request.Query["hub.challenge"];
  
    return Content(hubChallenge, "text/plain");
}
Chasitychasm answered 18/3, 2024 at 20:29 Comment(0)
C
0

this fixes my problem using built-in port in vscode with visibility public https://mcmap.net/q/1176638/-facebook-webhook-url-error-has-been-identified-as-malicious-and-or-abusive

Chancre answered 18/7, 2024 at 7:6 Comment(0)
N
0

It was already mentioned. But quick question if you are confident that it should work:

IT WILL NOT WORK WITH NGROK.

Neu answered 20/7, 2024 at 17:34 Comment(0)
N
0

In my case, I knew that ngrok will not work - so I deployed application to Digital Ocean, and I got default domain from the DO: https://<projectname>.ondigitalocean.app/whatsapp/webhook

I was struggling for 2 hours, until I went to "Webhook" tab (in the left sidebar) and tried to call my webhook.

I got the message: url <url> has been identified as malicious and/or abusive

So I bought the domain and it worked.

Neu answered 22/8, 2024 at 21:28 Comment(0)
P
0

This is how it worked for me in FastAPI with Ngrok

@router.get("/whatsapp-webhook")
async def whatsapp_webhook(request: Request,
                           db: AsyncSession = Depends(dependencies.get_db)):
    return int(request.query_params.get("hub.challenge"))```
Pastoral answered 27/8, 2024 at 0:35 Comment(0)
K
0

You need to return a request param back sent by facebook called hub.challenge, code below will show you how to do this in a safeway, if if below is not present so any user can set a webhook in your server, it could lead to bugs as duplicate operations like sending duplicate messages etc.

@GetMapping
public ResponseEntity webhookSignUp(@RequestParam("hub.challenge") String validator, @RequestParam("hub.verify_token") String wppPermanantToken){
    if(wppPermanantToken.equals(tokeYouSet)){
        return ResponseEntity.ok().body(validator);
    }else{
        return ResponseEntity.badRequest().build();
    }
}
Kraska answered 30/8, 2024 at 14:22 Comment(0)

© 2022 - 2025 — McMap. All rights reserved.