FAQ - Webhooks ❓
The sms:received webhook is not triggering
If your SMS-received webhook isn't firing, try these solutions:
-
RCS Interference
Steps:
- Install Google Messages
- Set as default SMS app
- Go to Settings → RCS Chats → Disable
-
Third-Party App Issues
-
Permission Check
Verify that the app has the necessary permissions- SMS permission granted
- Not battery optimized
- Background activity allowed
Can I use webhooks with an HTTP server without encryption?
Due to Android OS security requirements and the app's privacy policy, webhook events can only be received through an encrypted HTTPS connection. This ensures sensitive SMS data (like OTP codes) is protected during transmission.
Exceptions
- Loopback IP address
127.0.0.1in Local mode can be used without encryption.
Private IP Addresses (RFC1918)
Webhooks to private IP addresses (like 10.x.x.x, 172.16.x.x to 172.31.x.x, and 192.168.x.x) must use HTTPS.
This is because Android enforces HTTPS by default for all addresses.
Solutions for Local Networks
Use these approaches for local webhook endpoints:
-
Project CA Certificates Generate a trusted certificate for your private IP using our Certificate Authority
-
Localhost with Reverse Port Forwarding Use
127.0.0.1with ADB reverse port forwarding to access local servers -
Secure Tunnels Services like Cloudflare Tunnel or ngrok provide HTTPS endpoints for local servers
Security Rationale
This requirement balances:
- Privacy protection for SMS data
- Android platform security defaults (cleartext restrictions)
- Practical flexibility through the Project CA
While SMS has inherent security limitations, HTTPS provides essential transport-layer protection for webhook payloads.
How to use webhooks with self-signed certificate?
Support for user-provided self-signed certificates will be removed in version 2.x of the app. It is strongly recommended to use the project's CA for generating certificates instead.
Migration
- Update the app to the latest version
- Generate Webhook cert
- Update server config to use the new cert
- Remove self-signed certs from the device
How to use webhooks without internet access?
By default, webhooks require internet access and will wait until it's available to improve deliverability. However, if you're using the app in an isolated environment without internet access, you can disable this requirement. Here's how:
- Open app → Settings tab
- Navigate to Webhooks section
- Toggle off "Require Internet connection"
Tradeoff
Disabling internet access requirement may affect the reliability of webhook delivery for external endpoints
How to manage webhooks for specific devices?
- Get device ID from API response when listing devices
- Include
device_idparameter when registering webhooks: - Webhooks without
device_idwill apply to all devices
Using HTTP Webhooks in Local Development
We provide an insecure build variant that allows HTTP webhook endpoints for local network deployments.
Production Use Prohibited
This build MUST NOT be used in public environments as it disables critical security protections. It is strictly for local development and deployment on trusted networks.
When to Use
Use this build when:
- Testing webhook integrations on local networks (e.g.,
192.168.0.100:9876) - Developing without a valid SSL certificate
- Needing to test HTTP endpoints during development
How to Obtain
- Visit the GitHub Releases page
- Download the
app-insecure.apkfile - Install following the standard installation process
Security Considerations
- Always revert to the standard (secure) build for production use
- Never expose insecure builds to public networks
- This build bypasses Android's cleartext traffic restrictions
Still Having Issues?
Visit our Support Forum or contact us at support@sms-gate.app
Include these details:
- App version
- Android version
- Full webhook configuration