Documentation

Did you find this helpful?

Making Webhook Calls From Cloud Script

One of the less well-known features of PlayFab’s Cloud Script is the fact that you can make webhook calls from it to any Web API endpoint, using standard Representational State Transfer (REST) calls. This allows titles to make calls to basic informational services, but it also enables more complex scenarios such as using OAuth to secure a communication to an endpoint you own. This tutorial discusses making webhook calls from Cloud Script, for both non-secure and secure scenarios.

As a REST call, the structure of a webhook call from Cloud Script is simple. The elements to be specified are:

  • The URL endpoint
  • The REST method (post, get, put, or delete)
  • Any headers required
  • The content type (most commonly application/json)
  • The content itself (body)

For example, a basic Web API call to get the version number of your server-side logic might look something like this:

// Cloud Script
var url = "http://api.yoursite.com/playfab_call/GetVersion";
var method = "post";
var contentBody = "";
var contentType = "application/json";
var headers = {};
var responseString =  http.request(url,method,contentBody,contentType,headers); 

The body of the response is returned in stringified form, so that you can subsequently use it in the rest of the script. In this case, since we were querying version, if you were to write the response out to the log like so:

// Cloud Script
log.info(responseString); 

The response back to the client at the end of running the Cloud Script might look like this:

//HTTP Response
{
    "code": 200,
    "status": "OK",
    "data":
    {
        "FunctionName": "MyScript",
        "Revision": 23,
        "FunctionResult": true,
        "Logs": [
        {
            "Level": "Info",
            "Message": "{\"version\": 3}"
        }],
        "ExecutionTimeSeconds": 0.4309841,
        "MemoryConsumedBytes": 29608,
        "APIRequestsIssued": 0,
        "HttpRequestsIssued": 1
    }
}

If, however, you have a secure service you need to communicate with, you’ll need to first exchange credentials with that service to establish identity. For an OAuth solution, that means requesting a Bearer Access Token, using your Client ID and Secret. This will vary based upon your specific OAuth implementation, but your call could look something like this:

//Cloud Script
var url = "https://api.yoursite.com/playfab_call/request_token";
var method = "post";
var contentBody = "grant_type=client_credentials";
var contentType = "application/x-www-form-urlencoded";
var headers = {};
Headers["client_id"] = clientId;
Headers["client_secret"] = clientSecret;

var tokenResponse =  http.request(url,method,contentBody,contentType,headers);

Given a good response, you would then be able to parse the Bearer Access Token from the response like so (again, this does depend upon the specifics of your OAuth implementation, but this is a fairly common pattern for this form of authentication):

//Cloud Script
var parsedData = JSON.parse(tokenResponse);
var bearer_access_token = parsedData["access_token"];

Which would then allow you to call into your OAuth-secured functionality by providing the Bearer Access Token.

//Cloud Script
var url = "https://api.yoursite.com/playfab_call/do_action";
var method = "post";
var contentBody = customActionBody;
var contentType = "application/json";
var headers = {};
Headers["authorization"] = "Bearer " + bearer_access_token;

So the basic pattern in this case is that you use your application’s Client ID and Secret in order to obtain the unique Bearer Access Token for the call, and then use it to secure that call. As you can see, these calls would all be made using SSL, in order to help prevent man-in-the-middle attacks.

Using http calls from Cloud Script, you can make calls into any other Web API you need to for your title. This allows you to extend your title’s functionality beyond even what PlayFab offers directly, giving you the option to make and use your own custom services, or access others. And because this all takes place in Cloud Script, this provides a server-authoritative context in which to make those calls, so that they can have the necessary protections in your Cloud Script to help prevent players from cheating or accessing features and data they shouldn’t.



Did you find this helpful?