Recent searches
No recent searches
Verifying webhook with signature and secret key
Answered
Posted Dec 17, 2021
We have our webhook set up such that it makes a POST request to our internal API. We want to authenticate this request by verifying that it came from zendesk by following the documentation outlined here.
We've setup the NodeJS verification example exactly as described, and pulled the webhook secret from a live webhook, and pulled live webhook invocation request headers for the timestamp and signature, exactly as described for testing our verification logic, and the signed values never match. We have also tried testing the webhook with the static test secret noted here.
- Could we get a list of the most common mistakes made when verifying webhook signatures?
- Do you have a python example of verifying webhook signatures that we could refer to?
- Would it be possible to set up a call to speak with a support specialist directly about the issues we're seeing?
2
10
10 comments
Jeff Weng
Hi Meagan,
Did you ever get this issue resolved? I am having a similar issue in java where the signature we calculate does not match.
0
Gustavo Oliveira
Thanks for your response on the community post, it's much appreciated.
I'll be creating a support ticket, so keep an eye out on your emails, and we can go from there.
I look forward to troubleshooting this further in depth with you, speak soon!
0
Harry Wright
For anyone looking for a solution in Python..
https://gist.github.com/harryrobertwright/52103709160933d1d4f4b1f6649439e2
0
Arvind Anbuvel
Figured it out. It was to do with the spacing on the json request.
The json payload must have one space before and after ":" and no other space or tabs anywhere else. See example below:
{"id" : "XXX", "amount" : "4567.89", "currency" : "aud", "reason" : "product_not_received"}
The payload fields are not ordered and spaces not trimmed. Zendesk really should have taken care of simple things like this.
0
Andrea Cabral
We are having exactly the same issue using exactly the same framework/tools/language. Please advise what the solution to this issue was.
0
Christos Pazaras
For anyone looking for a solution in PHP:
https://github.com/cpazaras/zendesk-webhook-signature-verification-php
0
Mitul Patel
For anyone facing the issue in Java Springboot, make sure the format of your body payload setup in the zendesk trigger responsible for calling your webhook api matches identically with the Java object representing the request body. If your signature validation fails, check your spaces and indentation for your body during signature creation.
0
Danilo Polani
For PHP, you have to set the last parameter of hash_hmac, which is "binary", to true. Example code: https://gist.github.com/danilopolani/7add9e723636e4c9f3fdd06b8c945cc6
0
Denis Tataurov
This should work for your Ruby on Rails app:
0
Ryan Clarke
I know it's an older thread, but I ran into a weird issue with message validation that doesn't seem to add up. I've created the webhook and verified that validation works when using the “Test Webhook” functionality.
However, I noticed when the webhook runs normally, message authentication fails. So I copied the body from the failed attempt, went back to “Test Webhook”, pasted the content into the message body, sent it, and message validation now works again. I've double checked that the secret I'm validating against is the correct one for this webhook. So it seems there is some difference between the two message bodies being posted. Any thoughts?
0