Box Webhooks
To integrate Box webhooks with ngrok:
This guide covers how to use ngrok to integrate your localhost app with Box by using Webhooks. Box webhooks can be used to notify an external application whenever specific events occur in your Box account.
By integrating ngrok with Box, you can:
- Develop and test Box webhooks locally, eliminating the time in deploying your development code to a public environment and setting it up in HTTPS.
- Inspect and troubleshoot requests from Box in real-time via the inspection UI and API.
- Modify and Replay Box Webhook requests with a single click and without spending time reproducing events manually in your Box account.
- Secure your app with Box validation provided by ngrok. Invalid requests are blocked by ngrok before reaching your app.
Step 1: Start your app
For this tutorial, we'll use the sample NodeJS app available on GitHub.
To install this sample, run the following commands in a terminal:
Loading…
This will get the project installed locally.
Now you can launch the app by running the following command:
Loading…
The app runs by default on port 3000.
You can validate that the app is up and running by visiting http://localhost:3000. The application logs request headers and body in the terminal and responds with a message in the browser.
Step 2: Launch ngrok
Once your app is running successfully on localhost, let's get it on the internet securely using ngrok!
-
If you're not an ngrok user yet, just sign up for ngrok for free.
-
Go to the ngrok dashboard and copy your Authtoken.
Tip: The ngrok agent uses the auth token to log into your account when you start a tunnel. -
Start ngrok by running the following command:
Loading…
-
ngrok will display a URL where your localhost application is exposed to the internet (copy this URL for use with Box).
Step 3: Integrate Box
To register a webhook on your Box account follow the instructions below:
-
Access Box, sign in using your Box account, and then click Dev Console on the left menu.
-
On the Box Developer console, click Create New App, and then click Custom App.
-
On the Custom App popup, click Server Authentication (with JWT), enter a name for the app in the App name field, and then click Create App.
-
On the app's page, click the Configuration tab, mark the Manage Webhooks checkbox under Developer Actions, and then click Save Changes.
-
Click the Authorization tab, click Review and Submit, enter
Requesting Access
in the App Description field, and then click Submit. -
Access Box Admin Console, click Apps on the left menu, click the Custom App Manager tab, click View on your app, click Authorize, and then click Authorize.
-
Back to the Box Developer Console, click your app name, click the Webhook tab, click Create Webhook, and then click V2.
-
On the Create a Webhook page, enter the URL provided by the ngrok agent to expose your application to the internet in the URL Address field (i.e.
https://1a2b-3c4d-5e6f-7g8h-9i0j.ngrok.app
). -
Click Choose an item for the Content Type section, select a folder from your box account, and then click Choose.
-
Click File Triggers, mark the File Uploaded checkbox, and then click Create Webhook.
Run Webhooks with Box and ngrok
Because you registered your webhook with the File Uploaded trigger, Box sends a notification to your application whenever you upload files to a folder.
- Access Box, sign in using your Box account, and then upload a file from your desktop to the folder you selected during the webhook registration. See Integrate Box.
After the file upload process is completed, Box sends a post request to your application.
Confirm your localhost app receives the FILE.UPLOADED event notification and logs both headers and body in the terminal.
Inspecting requests
ngrok's Traffic Inspector captures all requests made through your ngrok endpoint to your localhost app. Click on any request to view detailed information about both the request and response.
By default, accounts only collect traffic metadata to avoid exposing secrets. You must enable full capture in the Observability section of your account settings to capture complete request and response data.
Use the traffic inspector to:
- Validate webhook payloads and response data
- Debug request headers, methods, and status codes
- Troubleshoot integration issues without adding logging to your app
Replaying requests
Test your webhook handling code without triggering new events from your service using the Traffic Inspector's replay feature:
-
Send a test webhook from your service to generate traffic in your Traffic Inspector.
-
Select the request you want to replay in the traffic inspector.
-
Choose your replay option:
- Click Replay to send the exact same request again
- Select Replay with modifications to edit the request before sending
-
Modify the request (optional): Edit any part of the original request, such as changing field values in the request body.
-
Send the request by clicking Replay.
Your local application will receive the replayed request and log the data to the terminal.
Secure webhook requests
The ngrok signature webhook verification feature allows ngrok to assert that requests from your Box webhook are the only traffic allowed to make calls to your localhost app.
Note: This ngrok feature is limited to 500 validations per month on free ngrok accounts. For unlimited, upgrade to Pro or Enterprise.
This is a quick step to add extra protection to your application.
-
Access Box Developer Console, click your app name, click the Webhook tab, and then click Manage Signature Keys.
-
On the Manage Signature Keys page, click Generate Key in the Primary Key section and then click COPY to copy the value of the generated primary key.
-
Create a file named
box_policy.yml
, replacing{your primary key}
with the value you have copied before:Loading…
-
Restart your ngrok agent by running the command:
Loading…
-
Access Box, sign in using your Box account, and then upload a file from your desktop to the folder you selected during the webhook registration. See Integrate Box.
Verify that your local application receives the request and logs information to the terminal.