Practice Now
Amazon SNS
subscription request
HTTP confirmation
AWS tutorial
web services

How can i confirm the subscription request HTTP from amazon SNS

Master System Design with Codemia

Enhance your system design skills with over 120 practice problems, detailed solutions, and hands-on exercises.

Start PracticingLearn More

Introduction

When you subscribe an HTTP or HTTPS endpoint to an Amazon SNS topic, SNS does not start delivering normal notifications immediately. It first sends a SubscriptionConfirmation message, and your endpoint must confirm that request before the subscription becomes active.

What SNS Sends to Your Endpoint

SNS makes an HTTP POST request to the subscribed endpoint. The body is JSON and includes fields such as:

  • 'Type, which is SubscriptionConfirmation'
  • 'MessageId'
  • 'Token'
  • 'TopicArn'
  • 'SubscribeURL'
  • 'Signature and certificate metadata used for verification'

You can also inspect the x-amz-sns-message-type header to identify the request quickly before parsing the body.

Until the confirmation succeeds, the subscription stays in a pending state and normal notifications are not delivered. That is why testing the confirmation path is part of the setup, not an optional follow-up task.

Confirming the Subscription

There are two common ways to confirm:

  1. Perform an HTTP GET request to the SubscribeURL
  2. Call the SNS ConfirmSubscription API with the TopicArn and Token

The SubscribeURL route is simple, but the API route is often easier to keep inside your application code and logs.

Here is a minimal Flask example using boto3:

python
1import json
2
3import boto3
4from flask import Flask, request
5
6app = Flask(__name__)
7sns = boto3.client("sns", region_name="us-east-1")
8
9
10@app.post("/sns")
11def handle_sns():
12    message_type = request.headers.get("x-amz-sns-message-type")
13    payload = json.loads(request.data)
14
15    if message_type == "SubscriptionConfirmation":
16        sns.confirm_subscription(
17            TopicArn=payload["TopicArn"],
18            Token=payload["Token"],
19        )
20        return {"status": "confirmed"}, 200
21
22    if message_type == "Notification":
23        print("notification:", payload["Message"])
24        return {"status": "processed"}, 200
25
26    return {"status": "ignored"}, 200

This keeps the logic explicit and works well in server-side code where you already have AWS credentials configured.

Verify the Request Before Confirming

Do not blindly confirm every request that looks like SNS. A production endpoint should validate that the message really came from Amazon SNS. The key checks are:

  • Confirm the signing certificate URL is from an AWS domain you trust
  • Validate the SNS signature against the signed fields
  • Confirm the TopicArn matches the topic you expect

If you skip verification, an attacker could send a fake confirmation message to your endpoint and trick your system into accepting or processing untrusted data.

Handling the Confirmation by SubscribeURL

If you prefer the URL-based flow, the code is straightforward:

python
1import json
2import requests
3from flask import Flask, request
4
5app = Flask(__name__)
6
7
8@app.post("/sns")
9def handle_sns():
10    payload = json.loads(request.data)
11
12    if payload.get("Type") == "SubscriptionConfirmation":
13        response = requests.get(payload["SubscribeURL"], timeout=10)
14        response.raise_for_status()
15
16    return {"status": "ok"}, 200

This works, but it pushes the confirmation logic into a network call to a URL from the payload. Many teams prefer the SDK call because it is easier to audit and easier to stub in tests.

Common Pitfalls

  • Treating every SNS request as a normal notification means the subscription never leaves the pending state.
  • Confirming the request without signature validation weakens the security of the endpoint.
  • Forgetting to return a successful HTTP response can cause SNS retries even after your application has already processed the confirmation.
  • Not checking TopicArn can lead one endpoint to confirm requests for the wrong topic.

Logging the message type and topic during setup also makes future troubleshooting much easier.

Summary

  • SNS confirms HTTP subscriptions by sending a SubscriptionConfirmation message to your endpoint.
  • You can confirm with the provided SubscribeURL or with the ConfirmSubscription API.
  • In production, validate the signature and expected topic before confirming.
  • Once confirmation succeeds, SNS starts sending normal notification payloads to the endpoint.
Course illustration
Course illustration
Codemia
© 2026 Codemia
Resources
Legal
Social
All Rights Reserved.