ืขื FastComments ื ืืชื ืืงืจืื ืื ืงืืืช ืงืฆื ืฉื API ืืื ืคืขื ืฉืชืืืื ืืชืืืกืคืช, ืืชืขืืื ืช ืื ื ืืืงืช ืืืืขืจืืช ืฉืื ื.
ืื ื ืืืืฉืื ืืืช ืืืืฆืขืืช webhooks ืืกืื ืืจืื ืืื ืขื ืืื HTTP/HTTPS.
ืื ืื ืืืึพืืืงืื 
Webhook ืืื ืื ืื ืื, ืื ืืื ืืืจืฆืื, ืืื ืฉืชื ืืขืจืืืช ืฉืื ื"ืืคืืง" (FastComments) ืฉืืื ืืืจืืข ืฉื"ืฆืจืื" (ืืชื) ืฆืืจื ืืืืฆืขืืช ืงืจืืืช API.
ืืืจืืขืื ืืืฉืืืื ื ืชืืืื
FastComments ืชืืืืช ื-webhooks ืจืง ืืืฉืื Comment.
ืื ื ืชืืืืื ื-webhooks ืขืืืจ ืืฆืืจืช Comment, ืืกืจื ืืขื ืขืืืื.
ืื ืืื ืืื ื ืืฉื ืืืืจืืข ื ืคืจื ืืืขืจืืช ืฉืื ื ืืืื ืืฉ ืื ืกืื ืืืงื ืฉืื ื ืืืื ืื ืฉืื ืื ืขืืืจ ืืืจืืขื webhook.
ืืืืจืืช ืคืืชืื ืืงืืื
For Local development, use a tool like ngrok.
In order to simplify keeping the system secure, local development follows the same process as setting up and securing other environments.
ืฉืื 1: ืืืกืฃ "localhost" ืืืืืืื ืื ืืืฉืืื ื.
Add "localhost" as a domain here.
ืฉืื 2: ืืืจ ืืคืชื API
We're going to be adding webhook configuration for your domain, so we'll need an API key. You can do that here.
Under "Associate with domain" - select your "localhost" domain.
NOTE: Alternatively, you can use one API Secret for all testing activity and staging environments. Simply add an API Secret for "All Domains", and give it a name like "test".
Ensure you have an API Secret defined for your production domain(s). Events for all other domains will use the wildcard (testing) secret.
ืฉืื 3: ืืืกืฃ ืืช ื-Webhook ืฉืื
While running ngrok or similar tool, set the value for "localhost" here.
When clicking Send Test Payload, we will send two test events to check that you validate the API key.
Once it validates, hit Save.
ืฉืื 4: ืืืกืฃ ืชืืืื
Now you can add, edit, or delete comments and should see us call your local development machine with the events, using your testing API key. There may be up to 30 seconds delay for the events to reach your machine.
ืืืืจื
ืขืงืื ืืืจ ืืืชื ืฉืืืื ืขืืืจ localhost ืืคื ืฉืชืขืฉื ื-production. ืืื ืฉืืฉ ืื production domains ื-API Secrets ืืืืืจืื.
ืจืืฉืืช, ื ืืื ืื ื-Webhooks admin. ื ืืชื ืืืฉืช ืืื ืืจื Manage Data -> Webhooks.
ืืฃ ืืชืฆืืจื ื ืจืื ืื:
ืืขืืื ืื ื ืืชื ืืฆืืื endpoints ืขืืืจ ืื ืกืื ืฉื ืืืจืืข ืชืืืื.
ืขืืืจ ืื ืกืื ืืืจืืข, ืืงืคื ืืืืืฅ ืขื Send Test Payload ืืื ืืืืื ืฉืืืื ืืืจืฆืื ืืืืืจื ืืจืืื. ืจืื ืืช ืืกืขืืฃ ืืื, "Testing", ืืคืจืืื.
ืืืืงืืช
ืืืืฉืง ื ืืืื ื-Webhooks ืืฉ ืืคืชืืจื Send Test Payload ืขืืืจ ืื ืกืื ืืืจืืข (Create, Update, Delete). ืืืจืืขื Create ื-Update ืฉืืืืื ืืืืืืงื WebhookComment ืืืืื, ืืขืื ืฉืืืืืงืช Delete ืืฉืื ืืืฃ ืืงืฉื ืืืืื ืืืืื ืจืง ID.
ืืืืืช ืืืืขื ืื
ืืืืฆืืข ืืืืงืืช ืฉื ืฉืืืื ื-webhook ืฉืื, ืืื ืฉืืืงืฉืืช ืื ืื ืกืืช ืืืืืืช ืืช ืืืืชืจืืช ืืืืืช:
token- ืกืื ื-API ืฉืืX-FastComments-Timestamp- ืืืชืืช ืืื Unix (ืืฉื ืืืช)X-FastComments-Signature- ืืชืืืช HMAC-SHA256
ืืฉืชืืฉ ืืืืืืช ืืชืืืช HMAC ืืื ืืืืื ืฉืืืืขื ืื ืืืชื ืืืื.
ืืื ืืืืงื
ื ืืชื ืืืฉืชืืฉ ืืืืื ืืื webhook.site ืื ngrok ืืื ืืืืืง ืืช ืืืขื ื ื-webhook ืื ืื ืกืื ืืืืื ืืคืืชืื.
ืกืืื ืืืจืืขืื
- Create Event: ืืชืจืืฉ ืืืฉืจ ืชืืืื ืืืฉื ื ืืฆืจืช. ืฉืืืช ืืจืืจืช ืืืื: PUT
- Update Event: ืืชืจืืฉ ืืืฉืจ ืชืืืื ื ืขืจืืช. ืฉืืืช ืืจืืจืช ืืืื: PUT
- Delete Event: ืืชืจืืฉ ืืืฉืจ ืชืืืื ื ืืืงืช. ืฉืืืช ืืจืืจืช ืืืื: DELETE
ืื ืืืจืืข ืืืื ืืช ื ืชืื ื ืืชืืืื ืืืืืื ืืืืฃ ืืืงืฉื (ืจืื ืืื ื ื ืชืื ืื ืขืืืจ ืคืืจืื ืืืืขื).
ืืื ื ื ืชืื ืื
ืืืื ื ืืืืื ืฉื ืฉืื ืืจื webhooks ืืื ืืืืืืืงื WebhookComment, ืืืชืืืจ ื-TypeScript ืืืื.
ืืื ื ื-WebhookComment
ืืื ื ืืืืจืืข "create"
ืืืฃ ืืืงืฉื ืฉื ืืืจืืข ื-"create" ืืื ืืืืืืงื WebhookComment.
ืืื ื ืืืืจืืข "update"
ืืืฃ ืืืงืฉื ืฉื ืืืจืืข ื-"update" ืืื ืืืืืืงื WebhookComment.
ืืื ื ืืืืจืืข "delete"
ืืืฃ ืืืงืฉื ืฉื ืืืจืืข ื-"delete" ืืื ืืืืืืงื WebhookComment.
Change as of Nov 14th 2023
Previously the "delete" event request body only contained the comment id. It now contains the full comment at the time of deletion.
Run When users are tagged in a comment, the information is stored in a list called mentions. Each object in that list
has the following structure.
Run ืฉืืืืช HTTP
ื ืืชื ืืืืืืจ ืืช ืฉืืืช ื-HTTP ืขืืืจ ืื ืกืื ืืืจืืข webhook ืืืื ืื ืืืื:
- ืืืจืืข Create: POST ืื PUT (ืืจืืจืช ืืืื: PUT)
- ืืืจืืข Update: POST ืื PUT (ืืจืืจืช ืืืื: PUT)
- ืืืจืืข Delete: DELETE, POST, ืื PUT (ืืจืืจืช ืืืื: DELETE)
ืืืืจ ืฉืื ืืืงืฉืืช ืืืืืืช ืืืื, ืคืขืืืืช Create ื-Update ืื ืืืืืคืืื ืืืืช ืืืจืืจืช ืืืื (PUT). ืืืจื ืขื ืืืชื ืืงืฉืช Create ืื Update ืื ืืืืจื ืืืฆืืจ ืืืืืืงืืื ืืคืืืื ืืฆื ืฉืืื.
ืืืชืจืืช ืืืงืฉื
ืื ืืงืฉืช webhook ืืืืืช ืืช ืืืืชืจืืช ืืืืืช:
| ืืืชืจืช | ืชืืืืจ |
|---|---|
Content-Type |
application/json |
token |
ืกืื ื-API ืฉืื |
X-FastComments-Timestamp |
ืืืชืืช ืืื Unix (ืืฉื ืืืช) ืืืฉืจ ืืืงืฉื ื ืืชืื |
X-FastComments-Signature |
ืืชืืืช HMAC-SHA256 (sha256=<hex>) |
ืจืื ืืืืื ืืืคืชืืืช API ืืืืืข ืขื ืืืืืช ืืชืืืช HMAC.
ืืืืื ืืืกืืืื ื API
FastComments webhook requests include multiple authentication mechanisms for security.
Headers Sent
| Header | Description |
|---|---|
token |
Your API Secret (for backwards compatibility) |
X-FastComments-Timestamp |
Unix timestamp (seconds) when the request was signed |
X-FastComments-Signature |
HMAC-SHA256 signature of the payload |
HMAC Signature Verification (Recommended)
We strongly recommend verifying the HMAC signature to ensure webhook payloads are authentic and haven't been tampered with.
Signature Format: sha256=<hex-encoded-signature>
How the signature is computed:
- Concatenate:
timestamp + "." + JSON_payload_body - Compute HMAC-SHA256 using your API Secret as the key
- Hex-encode the result
Example Verification (Node.js)
const crypto = require('crypto');
function verifyWebhookSignature(req, apiSecret) {
const timestamp = req.headers['x-fastcomments-timestamp'];
const signature = req.headers['x-fastcomments-signature'];
if (!timestamp || !signature) {
return false;
}
// ืืืื ืฉืืืชืืช ืืืื ืขืืื ืืช (ืืชืื 5 ืืงืืช)
const now = Math.floor(Date.now() / 1000);
if (Math.abs(now - parseInt(timestamp, 10)) > 300) {
return false; // ืื ืืขืช ืืชืงืคืช replay
}
// ืืืช ืืช ืืืชืืื
const payload = JSON.stringify(req.body);
const expectedSignature = crypto
.createHmac('sha256', apiSecret)
.update(`${timestamp}.${payload}`)
.digest('hex');
return signature === `sha256=${expectedSignature}`;
}Example Verification (Python)
import hmac
import hashlib
import time
import json
def verify_webhook_signature(headers, body, api_secret):
timestamp = headers.get('X-FastComments-Timestamp')
signature = headers.get('X-FastComments-Signature')
if not timestamp or not signature:
return False
# ืืืช ืฉืืืชืืช ืืืื ืขืืื ืืช
now = int(time.time())
if abs(now - int(timestamp)) > 300:
return False
# ืืืช ืืช ืืืชืืื
payload = json.dumps(body, separators=(',', ':'))
message = f"{timestamp}.{payload}"
expected = hmac.new(
api_secret.encode(),
message.encode(),
hashlib.sha256
).hexdigest()
return signature == f"sha256={expected}"Example Verification (PHP)
function verifyWebhookSignature($headers, $body, $apiSecret) {
$timestamp = $headers['X-FastComments-Timestamp'] ?? null;
$signature = $headers['X-FastComments-Signature'] ?? null;
if (!$timestamp || !$signature) {
return false;
}
// ืืืื ืฉืืืชืืช ืืืื ืขืืื ืืช (ืืชืื 5 ืืงืืช)
$now = time();
if (abs($now - intval($timestamp)) > 300) {
return false;
}
// ืืืช ืืช ืืืชืืื
$payload = json_encode($body, JSON_UNESCAPED_SLASHES);
$message = $timestamp . '.' . $payload;
$expectedSignature = 'sha256=' . hash_hmac('sha256', $message, $apiSecret);
return hash_equals($expectedSignature, $signature);
}Legacy Authentication
The token header containing your API Secret is still sent for backwards compatibility. However, we recommend migrating to HMAC verification for improved security as it protects against replay attacks.
ืืืฆื ืื ืขืืื ืืืืคืื ืื ืืกืืื ืืช ืืืืจืื
ืื ืืฉืื ืืืื ืืืืืืืงื Comment ืืืขืจืืช ืืคืขืืืื ืืืจืืข ืฉืืกืชืืื ืืชืืจ.
ืืืจืืข ื-webhook ืืจืืฉืื ื ื ืฉืื ืืืจื ืืื ืืชืื ืฉืืฉื ืฉื ืืืช ืืืชืจืืฉืืช ืืงืืจ ืืืืจืืข.
ื ืืชื ืื ืืจ ืืช ืืชืืจ ืืื ืืืืฉืง ืื ืืืื ืฉื Webhooks ืืืงืจื ืฉื-API ืฉืื ืืืจื.
ืื ืืงืฉื ื-API ืฉืื ื ืืฉืืช, ื ืื ืืก ืืืชื ืืืืฉ ืืชืืจ ืขื ืคื ืืื ืืื ืื.
ืืื ืืืื ืื ืืื 1 Minute * the retry count. ืื ืืงืจืืื ื ืืฉืื ืคืขื ืืืช, ืืื ืชื ืกื ืฉืื ืืขืื ืืงื. ืื ืืื ืชืืืฉื ืคืขืืืื, ืืื ืชืืื ืื ืฉืชื ืืงืืช, ืืื ืืืื. ืื ืืื ืฉืื ื ืขืืืก ืขื ื-API ืฉืื ืื ืืื ืืืจื ืืกืืืืช ืืงืฉืืจืืช ืืขืืืก.
ื ืืชื ืืืื ืืช ื-Webhooks ืืชืื ืืฃ ืืืืื ืื.
ืืกืืืื
ืื ืืกืืื ืืช ืชืืขืื ื-Webhooks ืฉืื ื.
ืื ื ืืงืืืื ืฉืชืืฆืื ืืช ืืื ืืืจืฆืืืช ื-Webhook ืฉื FastComments ืงืื ืืืื ื ืืืืืจื ืืืงืื.
ืื ืืชื ืืจืืืฉืื ืฉืืืืืชื ืืืกืจืื ืืชืืขืื ืฉืื ื, ืืืืืขื ืื ื ืืืื.