| CARVIEW |
Select Language
HTTP/2 200
vary: Accept-Encoding
content-encoding: gzip
reporting-endpoints: coop_report="https://www.facebook.com/browser_reporting/coop/?minimize=0", coep_report="https://www.facebook.com/browser_reporting/coep/?minimize=0", permissions_policy="https://www.facebook.com/ajax/browser_error_reports/"
report-to: {"max_age":2592000,"endpoints":[{"url":"https:\/\/www.facebook.com\/browser_reporting\/coop\/?minimize=0"}],"group":"coop_report","include_subdomains":true}, {"max_age":86400,"endpoints":[{"url":"https:\/\/www.facebook.com\/browser_reporting\/coep\/?minimize=0"}],"group":"coep_report"}, {"max_age":21600,"endpoints":[{"url":"https:\/\/www.facebook.com\/ajax\/browser_error_reports\/"}],"group":"permissions_policy"}
x-frame-options: DENY
content-security-policy: default-src blob: 'self' https://*.fbsbx.com *.facebook.com *.fbcdn.net;script-src *.facebook.com *.fbcdn.net *.facebook.net 127.0.0.1:* 'nonce-d41QxvwC' blob: 'self' connect.facebook.net 'unsafe-eval' https://www.googletagmanager.com/gtag/js https://www.googletagmanager.com https://*.google-analytics.com https://translate.google.com *.google.com gw.conversionsapigateway.com;style-src *.fbcdn.net data: *.facebook.com 'unsafe-inline' https://fonts.googleapis.com;connect-src *.facebook.com facebook.com *.fbcdn.net *.facebook.net wss://*.facebook.com:* wss://*.whatsapp.com:* wss://*.fbcdn.net attachment.fbsbx.com ws://localhost:* blob: *.cdninstagram.com 'self' https://localhost:3103 wss://gateway.facebook.com wss://edge-chat.facebook.com wss://snaptu-d.facebook.com wss://kaios-d.facebook.com/ v.whatsapp.net *.fbsbx.com *.fb.com https://analytics.google.com https://*.analytics.google.com https://*.google-analytics.com https://*.googletagmanager.com https://stats.g.doubleclick.net gw.conversionsapigateway.com;font-src data: *.facebook.com *.fbcdn.net *.fbsbx.com https://fonts.gstatic.com;img-src *.fbcdn.net *.facebook.com data: https://*.fbsbx.com facebook.com *.cdninstagram.com fbsbx.com fbcdn.net connect.facebook.net *.carriersignal.info blob: android-webview-video-poster: *.whatsapp.net *.fb.com *.oculuscdn.com https://*.google-analytics.com https://*.googletagmanager.com https://www.googletagmanager.com https://www.googleadservices.com https://googleads.g.doubleclick.net *.doubleclick.net *.tenor.co *.tenor.com *.giphy.com https://trustly.one/ https://*.trustly.one/ https://paywithmybank.com/ https://*.paywithmybank.com/ dc.ads.linkedin.com analytics.twitter.com t.co;media-src *.cdninstagram.com blob: *.fbcdn.net *.fbsbx.com www.facebook.com *.facebook.com data: https://*.giphy.com;child-src data: blob: 'self' https://*.fbsbx.com *.facebook.com *.fbcdn.net;frame-src *.facebook.com *.fbsbx.com fbsbx.com data: www.instagram.com *.fbcdn.net https://www.googleadservices.com https://googleads.g.doubleclick.net https://www.google.com https://td.doubleclick.net *.google.com *.doubleclick.net https://trustly.one/ https://*.trustly.one/ https://paywithmybank.com/ https://*.paywithmybank.com/;manifest-src data: blob: 'self' https://*.fbsbx.com *.facebook.com *.fbcdn.net;object-src data: blob: 'self' https://*.fbsbx.com *.facebook.com *.fbcdn.net;worker-src blob: *.facebook.com data: 'unsafe-eval';block-all-mixed-content;upgrade-insecure-requests;
document-policy: force-load-at-top
document-policy: include-js-call-stacks-in-crash-reports
permissions-policy: accelerometer=(), attribution-reporting=(), autoplay=(), bluetooth=(), camera=(), ch-device-memory=(), ch-downlink=(), ch-dpr=(), ch-ect=(), ch-rtt=(), ch-save-data=(), ch-ua-arch=(), ch-ua-bitness=(), ch-viewport-height=(), ch-viewport-width=(), ch-width=(), clipboard-read=(), clipboard-write=(), compute-pressure=(), display-capture=(), encrypted-media=(), fullscreen=(self), gamepad=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(), keyboard-map=(), local-fonts=(), magnetometer=(), microphone=(), midi=(), otp-credentials=(), payment=(), picture-in-picture=(), private-state-token-issuance=(), publickey-credentials-get=(), screen-wake-lock=(), serial=(), shared-storage=(), shared-storage-select-url=(), private-state-token-redemption=(), usb=(), unload=(self), window-management=(), xr-spatial-tracking=();report-to="permissions_policy"
cross-origin-resource-policy: cross-origin
cross-origin-embedder-policy-report-only: require-corp;report-to="coep_report"
cross-origin-opener-policy: unsafe-none
pragma: no-cache
cache-control: private, no-cache, no-store, must-revalidate
expires: Sat, 01 Jan 2000 00:00:00 GMT
x-content-type-options: nosniff
x-xss-protection: 0
origin-agent-cluster: ?1
strict-transport-security: max-age=15552000; preload
content-type: text/html; charset="utf-8"
x-fb-debug: mLQknjmN8fhj4luxdRKhSfV3XGbXe162IS7GPHCVuCNULwb56PCjFTYBv49+QQjoG5FxQA+mtDkmhSQ3WwHhIw==
date: Sat, 26 Jul 2025 20:12:45 GMT
x-fb-connection-quality: UNKNOWN; q=-1, rtt=-1, rtx=0, c=10, mss=1380, tbw=3533, tp=-1, tpl=-1, uplat=473, ullat=0
alt-svc: h3=":443"; ma=86400
Sample Apps - Webhooks from Meta - Documentation - Meta for Developers
Sample Apps
We provide sample apps on GitHub, which you can set up and repurpose, or which you can use to quickly test your Webhooks configuration.
Setting up the Sample App
Let's walk through setting up a sample app on Heroku:
- Create a free Heroku account if you don't already have one, then sign into it.
- While signed in, go to GitHub and deploy the app to Heroku. The app name you choose will be a part of your Callback URL, so choose something you can remember. Deploying will take a few seconds.
- In a new browser tab, go to your app's App Dashboard Settings, and copy your app's App Secret.
- In your Heroku app's settings, set up two config vars:
APP_SECRETandTOKEN. Assign (paste) your App Secret to theAPP_SECRETconfig var, and assign any string toTOKEN. We will include this string in any verification requests when you configure the Webhooks product in the App Dashboard (the app will validate the request on its own).
Your app should now be ready to go. Before you return to your App Dashboard to configure the Webhooks product:
- View your Heroku app in a web browser. You should see an empty array (
[]). This page will display newly received update notification data, so reload it throughout testing. - Your app's Callback URL will be your Heroku app's URL with
/facebookadded to the end. You will need this Callback URL during product configuration. - Copy the
TOKENvalue you set above; you'll also need this during product configuration.
What's in the Heroku sample app?
The app uses Node.js and these packages:
body-parser(for parsing JSON)express(for routes)express-x-hub(for SHA1 support)
Verifying the Sample App
You can easily verify that your sample app can receive Webhook events.
- Under the Webhooks product in your App Dashboard, click the Test button for any of the Webhook fields.
- A pop-up dialog will appear showing a sample of what will be sent. Click Send to My Server.
- You should now see the Webhook information at the Heroku app's URL, or use
curl https://<your-subdomain>.herokuapp.comin a terminal window.