Verify requests

AI-generated Key Takeaways

outlined_flag

• Conversational webhook requests are signed with a google-assistant-signature header containing a JWT token.

• The JWT token's audience field must match your Actions console project ID for signature verification.

• You can verify the signature using a JWT-compatible library or the Actions on Google Node.js Client Library's verification option.

• By default, a 403 error will be returned for verification errors.

Requests to your conversational webhook are signed with an authorization token in the header, using the following format:

google-assistant-signature: "<JWT token>"

The auth token follows the JSON Web Token format, where the audience field value is equal to the Actions console project ID for the app. To verify the signature, unpack the token and ensure the audience field matches the project ID for the app. You can do this with a JWT-compatible credentials library, like the Google APIs Node.js client, or directly using the Actions on Google Node.js Client Library ConversationOptions#verification option, as shown in the following code snippet:

const {conversation} = require('@assistant/conversation');

const app = conversation({verification: 'nodejs-cloud-test-project-1234'});
// HTTP Code 403 will be thrown by default on verification error per request.

The JWT format will be in this format:

{
  "iss": "https://accounts.google.com"
  "aud": [project-id],
  "nbf": number,
  "iat": number,
  "exp": number,
  "jti": string
}