How do I use webhooks for a product with two-legged auth?

If I want to create an application where I have a node server storing customer data e.g. their favourite colour.
Then when a customer interacts with a device, it would fetch some data from my server. e.g. press a button and get the users favourite colour.

From reading the docs, it looks like the best approach to use is two-legged auth: I would create users and then ‘shadow customers’ would be created on the particle cloud.

Then when the user presses the button, I could use a webhook to hit an api on my server. eg myapp/api/user/favouritecolour.

My question is what’s the best way to secure and authenticate the webhook, and what flow would be needed to set it up?

If I want to use a username/password to authenticate the request, I would need to get the user’s username and password, send this to the particle cloud and store it there somehow… I’m not sure how I would do that, and would it be secure to store the password in the open?

The same goes for using a token of some kind, I’d have to make multiple requests to get the token and somehow store it on the particle cloud. How would I do that? And once the token expired I’m not sure how I would update the token on the particle cloud…

Maybe I’m missing something a lot more obvious here… Thanks

1 Like

Hey @stoobee,

Thanks for your question! Unfortunately, webhooks are not supported for the product/customer quite yet, but it is planned for in 2016. However, I there may be a workaround you could try for the time being.

What I would recommend in this case is for your Node Server to subscribe to events that are published by your products’ devices. There is a special server-sent-events (SSE) endpoint exposed by the Particle API that is scoped on an organization/product level for you to use.

That endpoint is /v1/orgs/:orgSlug/products/:productSlug/events. This is the same endpoint that the Dashboard uses for the “logs” view for your product. When publishing the event, you could pass a prefix letting your server know that this is a request for a user’s favorite color. Then, you could include a piece of identifiable information about the device/customer in the data of the event that your server could use to look up that person’s information.

For instance, you could get the device ID of the device in firmware with SYSTEM.DEVICEID() and include that in the published event that your server will listen for:

Particle.publish("get-favorite-color", "123456789");

Then, you could have your Node server publish an event with the results of the DB query that the device would subscribe to. You’d have to be sure the right device was receiving the right event with the color, but you could use a similar approach as above to have the server publish an event with a name that included a unique device ID that each device would subscribe to based on its device ID.

I’m sure there could be other ways of approaching this, but this could be one way that would be useful. Hope this helps. FYI, product/customer support for webhooks is planned for 2016


Thanks @jeiden!

Hi @jeiden, are there any news about webhooks for products? Thanks

@durielz thanks for the ping! Yes, we definitely planning on building webhooks for organizations/products as part of a bigger effort to build Particle Integrations, which will allow for easy interactions with other services. This is planned for Q2 2016, and has been a frequently requested feature of product creators.

If you need a solution ASAP, you can follow my instructions above!

Thanks @jeiden. ok i’ll do it

@durielz @stoobee just to close the loop on this, we just announced webhooks for products as a public beta. You can check it out here: Introducing Product Webhooks!