Need some help with twitter challenge (CRC token)

Hi there!
Just new to pipedream, very excited about it :slight_smile:

I am not at all a coder… so here it goes.

I have managed to use to get past the CRC token of Twitter (Securing webhooks | Docs | Twitter Developer Platform), that’s quite straightforward using their visual nodes. I would like to use pipedream as I noticed it can scale better - however, I do not know how to manage this CRC token thing with pipedream! My best guess is to use nodeJS or python, but as I said - I am entirely lost with coding…

Can somebody help me to code this part?

Twitter docs give examples of using it with python:

Example response token generation in Python:

The following defines a route in a Python 2.7 Flask webapp that will respond to the challenge response check correctly.

import base64
import hashlib
import hmac
import json

# Defines a route for the GET request
@app.route('/webhooks/twitter', methods=['GET'])
def webhook_challenge():

  # creates HMAC SHA-256 hash from incomming token and your consumer secret
  sha256_hash_digest =, msg=request.args.get('crc_token'), digestmod=hashlib.sha256).digest()

  # construct response data with base64 encoded hash
  response = {
    'response_token': 'sha256=' + base64.b64encode(sha256_hash_digest)

  # returns properly formatted json response
  return json.dumps(response)

and js node:

const crypto = require('crypto')

 * Creates a HMAC SHA-256 hash created from the app TOKEN and
 * your app Consumer Secret.
 * @param  token  the token provided by the incoming GET request
 * @return string
module.exports.get_challenge_response = function(crc_token, consumer_secret) {

  hmac = crypto.createHmac('sha256', consumer_secret).update(crc_token).digest('base64')

  return hmac

But I have no idea how to make it so that it will work. I have no doubt this is a piece of cake for any of you!

Going further, I would like to filter different activities so that only DMs get passed through to another webhook (that’s for later :wink: )


Hi @8bees,

First off, welcome to the Pipedream community. Happy to have you!

Thanks for reaching out, great question.

Are you using the Twitter app on Pipedream? If so, that’s managed by Pipedream and the client ID and client secret need to be kept secret and secure.

Otherwise, if you’re using the Twitter Developer App instead, then you’ll be able to have your own personal client ID and client secret which you can then use to generate the CRC token.

Just want to make sure you’re using that app specific on Pipedream, otherwise you won’t be able to generate the CRC.

1 Like

Hi Pierce, thanks for your reply!

I am not using the twitter app - it is using polling + it also doesnt allow to check for DMs. So I’m using twitter premium v1.1 and registered a webhook with twitter :slight_smile:

The only thing I need to know really, is how to get past the coding bit. I’m pretty sure it is really easy… Just need to be able to grab the value of CRC_TOKEN and put it into nodejs/python to generate a HMAC. :slight_smile:

Nevermind. I have found a different way outside of pipedream.