On this page

Validate Webhook requests from SendGrid

(warning)

Warning

This example uses headers and cookies, which are only accessible when your Function is running @twilio/runtime-handler version 1.2.0 or later. Consult the Runtime Handler guide to learn more about the latest version and how to update.

Protecting your Twilio Functions from non-Twilio requests is usually just a matter of setting a Function's visibility to Protected. However, if you'd like to create a Function that's intended to only handle incoming Webhook requests from a product such as SendGrid, validation will require some manual inspection of headers, which are now accessible!

In this example, we'll create a Function which will serve as the Event Webhook for your SendGrid account. The Function will validate if the incoming request came from SendGrid, and send a text message to a designated phone number if an email has been opened.

Create and host a Function

In order to run any of the following examples, you will first need to create a Function into which you can paste the example code. You can create a Function using the Twilio Console or the Serverless Toolkit as explained below:

ConsoleServerless Toolkit

If you prefer a UI-driven approach, creating and deploying a Function can be done entirely using the Twilio Console and the following steps:

Log in to the Twilio Console and navigate to the Functions tab . If you need an account, you can sign up for a free Twilio account here !
Functions are contained within Services . Create a Service by clicking the Create Service button and providing a name such as test-function .
Once you've been redirected to the new Service, click the Add + button and select Add Function from the dropdown.
This will create a new Protected Function for you with the option to rename it. The name of the file will be path it is accessed from.
Copy any one of the example code snippets from this page that you want to experiment with, and paste the code into your newly created Function. You can quickly switch examples by using the dropdown menu of the code rail.
Click Save to save your Function's contents.
Click Deploy All to build and deploy the Function. After a short delay, your Function will be accessible from: https://<service-name>-<random-characters>-<optional-domain-suffix>.twil.io/<function-path>
For example: test-function-3548.twil.io/hello-world .

The Serverless Toolkit enables you with local development, project deployment, and other functionality via the Twilio CLI. To get up and running with these examples using Serverless Toolkit, follow this process:

From the CLI, run twilio serverless:init <your-service-name> --empty to bootstrap your local environment.
Navigate into your new project directory using cd <your-service-name>
In the /functions directory, create a new JavaScript file that is named respective to the purpose of the Function. For example, sms-reply.protected.js for a Protected Function intended to handle incoming SMS.
Populate the file using the code example of your choice and save. Note A Function can only export a single handler. You will want to create separate files if you want to run and/or deploy multiple examples at once.

Once your Function(s) code is written and saved, you can test it either by running it locally (and optionally tunneling requests to it via a tool like ngrok), or by deploying the Function and executing against the deployed url(s).

Run your Function in local development

Run twilio serverless:start from your CLI to start the project locally. The Function(s) in your project will be accessible from http://localhost:3000/sms-reply

If you want to test a Function as a Twilio webhook , run: twilio phone-numbers:update <your Twilio phone number> --sms-url "http://localhost:3000/sms-reply"
This will automatically generate an ngrok tunnel from Twilio to your locally running Function, so you can start sending texts to it. You can apply the same process but with the voice-url flag instead if you want to test with Twilio Voice .
If your code does not connect to Twilio Voice/Messages as a webhook, you can start your dev server and start an ngrok tunnel in the same command with the ngrok flag. For example: twilio serverless:start --ngrok=""

Deploy your Function

To deploy your Function and have access to live url(s), run twilio serverless:deploy from your CLI. This will deploy your Function(s) to Twilio under a development environment by default, where they can be accessed from:

https://<service-name>-<random-characters>-dev.twil.io/<function-path>

For example: https://incoming-sms-examples-3421-dev.twil.io/sms-reply

Your Function is now ready to be invoked by HTTP requests, set as the webhook of a Twilio phone number, invoked by a Twilio Studio Run Function Widget, and more!

Validate Webhook requests from SendGrid


_102const { EventWebhook, EventWebhookHeader } = require('@sendgrid/eventwebhook');
_102
_102// Helper method for validating SendGrid requests
_102const verifyRequest = (publicKey, payload, signature, timestamp) => {
_102  // Initialize a new SendGrid EventWebhook to expose helpful request
_102  // validation methods
_102  const eventWebhook = new EventWebhook();
_102  // Convert the public key string into an ECPublicKey
_102  const ecPublicKey = eventWebhook.convertPublicKeyToECDSA(publicKey);
_102  return eventWebhook.verifySignature(
_102    ecPublicKey,
_102    payload,
_102    signature,
_102    timestamp
_102  );
_102};
_102
_102exports.handler = async (context, event, callback) => {
_102  // Access a pre-initialized Twilio client from context
_102  const twilioClient = context.getTwilioClient();
_102  // Access sensitive values such as the sendgrid key and phone numbers
_102  // from Environment Variables
_102  const publicKey = context.SENDGRID_WEBHOOK_PUBLIC_KEY;
_102  const twilioPhoneNumber = context.TWILIO_PHONE_NUMBER;
_102  const numberToNotify = context.NOTIFY_PHONE_NUMBER;
_102
_102  // The SendGrid EventWebhookHeader provides methods for getting
_102  // the necessary header names.
_102  // Remember to cast these header names to lowercase to access them correctly
_102  const signatureKey = EventWebhookHeader.SIGNATURE().toLowerCase();
_102  const timestampKey = EventWebhookHeader.TIMESTAMP().toLowerCase();
_102
_102  // Retrieve SendGrid's headers so they can be used to validate
_102  // the request
_102  const signature = event.request.headers[signatureKey];
_102  const timestamp = event.request.headers[timestampKey];
_102
_102  // Runtime injects the request object and spreads in the SendGrid events.
_102  // Isolate the original SendGrid event contents using destructuring
_102  // and the rest operator
_102  const { request, ...sendGridEvents } = event;
_102  // Convert the SendGrid event back into an array of events, which is the
_102  // format sent by SendGrid initially
_102  const sendGridPayload = Object.values(sendGridEvents);
_102
_102  // Stringify the event and add newlines/carriage returns since they're expected by validator
_102  const rawEvent =
_102    JSON.stringify(sendGridPayload).split('},{').join('},\r\n{') + '\r\n';
_102
_102  // Verify the request using the public key, the body of the request,
_102  // and the SendGrid headers
_102  const valid = verifyRequest(publicKey, rawEvent, signature, timestamp);
_102  // Reject invalidated requests!
_102  if (!valid) return callback("Request didn't come from SendGrid", event);
_102
_102  // Helper method to simplify repeated calls to send messages with
_102  // nicely formatted timestamps
_102  const sendSMSNotification = (recipientEmail, timestamp) => {
_102    const formattedDateTime = new Intl.DateTimeFormat('en-US', {
_102      year: 'numeric',
_102      month: 'numeric',
_102      day: 'numeric',
_102      hour: 'numeric',
_102      minute: 'numeric',
_102      second: 'numeric',
_102      hour12: true,
_102      timeZone: 'America/Los_Angeles',
_102    }).format(timestamp);
_102
_102    return twilioClient.messages.create({
_102      from: twilioPhoneNumber,
_102      to: numberToNotify,
_102      body: `Email to ${recipientEmail} was opened on ${formattedDateTime}.`,
_102    });
_102  };
_102
_102  // Convert the original list of events into a condensed version for SMS
_102  const normalizedEvents = sendGridPayload
_102    .map((rawEvent) => ({
_102      to: rawEvent.email,
_102      timestamp: rawEvent.timestamp * 1000,
_102      status: rawEvent.event,
_102      messageId: rawEvent.sg_message_id.split('.')[0],
_102    }))
_102    // Ensure that events are sorted by time to ensure they're sent
_102    // in the correct order
_102    .sort((a, b) => a.timestamp - b.timestamp);
_102
_102  // Iterate over each event and wait for a text to be sent before
_102  // processing the next event
_102  for (const event of normalizedEvents) {
_102    // You could also await an async operation to update your db records to
_102    // reflect the status change here
_102    // await db.updateEmailStatus(event.messageId, event.status, event.timestamp);
_102    if (event.status === 'open') {
_102      await sendSMSNotification(event.to, event.timestamp);
_102    }
_102  }
_102
_102  // Return a 200 OK!
_102  return callback();
_102};

Create your Function and connect it to SendGrid

First, create a new sendgrid-email Service and add a Public /events/email Function. Delete the default contents of the Function, and paste in the code snippet provided on this page.
Create a free SendGrid account .
Follow the instructions here to set up a SendGrid Event Webhook. Paste the URL of your newly created Function as the unique URL for the Event Webhook. (it will look like https://sendgrid-email-5877.twil.io/events/email)
Follow these steps to enable the Signed Event Webhook Requests. This will add signed SendGrid headers to incoming webhook requests, which we can then use to validate requests!
Copy the generated Verification Key from the last step, and save it as an Environment variable in Runtime as SENDGRID_WEBHOOK_PUBLIC_KEY. While here, also save your TWILIO_PHONE_NUMBER (from the Twilio console) and a NOTIFY_PHONE_NUMBER (this could be your personal phone number for now)
Add the @sendgrid/eventwebhook dependency as *, and ensure that the @twilio/runtime-handler dependency is set to version 1.3.0 or later to enable headers.
Save your Function and deploy it by clicking on Deploy All.

Validate your code

Now that you've deployed your Function, it's time to validate that your code and its integration with SendGrid is working properly. In order to do so, you'll need to generate some email events. This will be accomplished with a short script written in JavaScript and using the @sendgrid/mail library.

Setup environment variables

First, grab your SendGrid API Key (or create one!). For security, we'll be setting it as an environment variable and using it in our code instead of directly hard-coding it. You can do so by performing the following commands in your terminal, making sure to replace the YOUR_API_KEY placeholder with your own key.


_10echo "export SENDGRID_API_KEY='YOUR_API_KEY'" > sendgrid.env
_10echo "sendgrid.env" >> .gitignore
_10source ./sendgrid.env

Install the helper library

Next, use npm or yarn to install the Node.js SendGrid helper library which will enable you to send emails using JavaScript. If you already have Node.js installed, it's very likely you already have npm available and ready to use.


_10npm install --save @sendgrid/mail

If you prefer yarn instead:


_10yarn add @sendgrid/mail

Add and verify a Sender Identity

Before you can successfully send an email, you'll need to verify an email address or domain in the Sender Authentication tab. Without this, you will receive a 403 Forbidden response when attempting to send mail.

Send a test email

Once you have prepared your environment variables, installed the SendGrid helper library, and your email has been validated, you're ready to send some emails and create some events.

Create a new file such as send-email.js, and paste in the following snippet. Be sure to replace the from variable with your verified email address from earlier, as well as the to variable (in this case, you can use your verified email address here as well). Save the file.


_19// Using Twilio SendGrid's v3 Node.js Library
_19// https://github.com/sendgrid/sendgrid-nodejs
_19const sgMail = require('@sendgrid/mail');
_19sgMail.setApiKey(process.env.SENDGRID_API_KEY);
_19
_19sgMail
_19  .send({
_19    from: 'test@example.com', // Change to your verified sender
_19    to: 'test@example.com', // Change to your recipient
_19    subject: 'Sending with Twilio SendGrid is Fun',
_19    text: 'and easy to do anywhere, even with Node.js',
_19    html: '<strong>and easy to do anywhere, even with Node.js</strong>',
_19  })
_19  .then(() => {
_19    console.log('Email sent');
_19  })
_19  .catch((error) => {
_19    console.error(error);
_19  });

Once the script is saved, you can send your test email by executing the script with Node.js:


_10node send-email.js

Check your texts

Once you've received your email and opened it, you should receive a text message from your Function a short time later!

If you would like to expedite this process a bit and not wait for the open event itself, you could modify line 95 of the Function body to instead check for delivered events instead. A delivered event will be emitted and processed by your Function almost immediately after executing the send-email script.