AZ Azerbaijan / AZN
MUPZA OperatorOwner accountMU
M
MUPZAOSRestaurant OS command
Webhook Verification

Webhook verification contract

WhatsApp and Telegram inbound webhooks require server-side secrets, replay protection and audit events before any provider traffic can affect MUPZAOS workflows.

Contract statusProviders: 2Rules: 3Simulations: 3External mutation: false
WhatsApp coveredtrue
Telegram coveredtrue
Secrets requiredtrue
Replay protectiontrue
Inbound auditedtrue
Secrets redactedtrue
No external mutationtrue
No LAN blockingtrue

Verification rules

WhatsApp GET verify tokenGET
/webhooks/whatsapp?hub.mode=subscribe

Meta verification challenge can be answered only when verify token matches, without logging token value.

WhatsApp POST inbound messagePOST
/webhooks/whatsapp

Inbound WhatsApp payload is accepted only after verification, replay check and audit event creation.

Telegram secret webhook pathPOST
/webhooks/telegram/{TELEGRAM_WEBHOOK_SECRET}

Telegram inbound updates require a server-side secret path and never expose bot token or secret.

Simulations

sim_whatsapp_verify_passpass
audit_webhook_001

Matching verify-token request returns challenge in real runtime; QA only records the contract.

sim_whatsapp_replay_blockblocked_replay
audit_webhook_002

Duplicate inbound event id inside replay window is blocked and audited.

sim_telegram_secret_blockblocked_missing_secret
audit_webhook_003

Telegram webhook path without configured secret is blocked before message handling.