How to Verify Requests

Requests to your conversational webhook are signed with an authorization token in the header, using the following format:

authorization: "<JWT token>"

The auth token follows the JSON Web Token format, where the audience field value is equal to the Actions Console project ID for the app. To verify the signature, unpack the token and ensure the audience field matches the project ID for the app. This can be done with a JWT-compatible credentials library, like the Google APIs Node.js Client, or directly using the Actions on Google Node.js Client Library isRequestFromAssistant() method.

const app = new ActionsSdkApp({request, response});
app.isRequestFromAssistant('nodejs-cloud-test-project-1234')
  .then(() => {
    app.ask('Hey there, thanks for stopping by!');
  })
  .catch(err => {
    response.status(400).send();
  });