API gateway changes

We have moved away from our legacy API gateway service to the AWS API gateway service to better serve your growing API needs.

This migration is being performed in 2 phases:

  • Phase 1: Provide the new regional gateway service (completed).
  • Phase 2: Sunset the api.whispir.com URL, and only keep the regional-based links (ongoing, and last date for clients to update is 30 April 2019).

Follow the steps below to check the 3 main compliance elements for the new API gateway standards.

1. Change of SSL certificates

Whispir is aware of some client integrations that depend on trusting the client SSL certificate explicitly.

If your application has this dependency, we recommend that you review your implementation as the certificate serving api.whispir.com will be changing. You can download the new wildcard certificate by visiting au.whispir.com or the respective region-based URL (ap, us, nz, it, ap1). (Note: The steps for downloading a certificate may vary from browser to browser.)

2. IP whitelisting

The new and legacy Whispir API gateway services are hosted in AWS.

If your implementation depends on IP Whitelisting in order to make calls to our service, we suggest that you review the following set of Amazon IPs. You will need to whitelist all IP ranges. 

For users still connecting to https://api.whispir.com until the 30 April 2019 deadline:

  • Service ‘CLOUDFRONT’ in the region ‘GLOBAL’

For all regional endpoints you should be using REGION + EC2:

  • AU, IT, EDUCATION, NZ = AP-SOUTHEAST-2
  • AP, AP1 = AP-SOUTHEAST-1
  • US = US-WEST-1

3. Enforcing HTTP specifications

Whispir is aware of some client integrations that don't adhere to the header parsing rules specified in the Hypertext Transfer Protocol specification.

While Whispir is looking to implement mitigations for those affected, we highly recommend that you review your implementations and ensure that they treat all headers as non-case sensitive to increase resilience.

The rollout of changes in 2018 highlighted these issues with some client integrations. The most common problem identified was a dependency on the upper/lower case status of the ‘location’ response header provided by Whispir after successful API calls.