Starting out
After installing and enabling the Chat integration for your bot, you must grab the webhook id. The webhook id is found in the webhook URL.
in this case, the webhook id start with 90 and ends with 51
Use this in the Base URL of all your api calls.
Authorization tokens
All Authorization is scope on the user level and all endpoints require authentication except for Create User and Get Or Create User , which provide the authentication tokens for those users, in the returned body, under body.key.
If you want to prevent outside sources from being able to create users. You should set an encryption secret in your integration's configuration page in your bot. Then, use const xUserKey = jwt.sign({ id: userId }, ctx.config.encryptionKey, { algorithm: 'HS256' }) to create a user key. You can pass any information inside the sign method that uniquely identifies the user.
Webhooks
To verify that the webhooks are coming from the correct location, you can must verify the x-signature parameter.
In Javascript:
req.headers['x-signature'] === crypto.createHmac('sha256', SECRET).update(JSON.stringify(req.body)).digest('hex')
In Python:
request.headers.get('X-Signature') == hmac.new(SECRET, request.data, hashlib.sha256).hexdigest()