Under WebSub, there is an ecosystem of publishers, subscribers, and hubs. A subscriber first retrieves content from an HTTP resource (
URL) by requesting it from the webserver. The subscriber then inspects the contents of the response, and if it references a hub, the subscriber can subscribe to that resource's URL (it's called a 'topic' by the spec) on that hub. The subscriber needs to run a web accessible server so that hubs can directly notify it when any of its subscribed topics have updated, using a
webhook mechanism. Publishers expose their content with the inclusion of hub references in the HTTP headers. They post notifications to those referenced hubs whenever they publish something. Thus, when a publication event occurs, the publisher calls its hubs and the hubs call their subscribers. WebSub includes a simple verification of intent mechanism in order to prevent abusive subscriptions, and a validation mechanism allows for subscriptions to private or protected web resources. When the subscriber sends the subscription request to the hub, the subscriber address and a code needs to be included. The hub immediately sends a verification message to the subscriber with the URL of the topic and the above code. The subscription request will only be accepted if the subscriber sends a positive response to the verification request of the hub. In order to provide a secure chain, subscribers should
share a secret with the hub, which will be used by the hub to compute an
HMAC key that will be sent to the subscriber. The latter can then easily verify the origin by comparing the supplied
signature with a similarly computed signature on their end. == Usage ==