Discussions

I’m encountering issues with validating webhook signatures using the implementation you provided. I've tried Java (per your documentation) and JavaScript (using the crypto library), but the validation consistently fails.

Here are the inputs I’m using:

• Webhook Secret: wsec_/uRPG4raHiR9j5QA8W4x5nNV0j++1W1a
• Webhook Signature: v1,9x6bMQzcYuQez5H8XUcB33+h1epvpbL9lb3N3+UD1V0=
• Webhook Timestamp: 1737971815
• Webhook ID: msg_2sCtjU0EmlLQrxmwcxEoWsaxoE7
• Request Body:
• JSON

    {
    api_version: "2022-10-15",
    data: {
      object: {
        amount: 101,
        cancel_url:
          "https://dev-app.bringin.xyz/card-prepayment/payment/cancelled",
        created: 1737971518938,
        currency: "EUR",
        default_url: "https://checkout.tryspeed.com/pay/cs_test_m6evdal6vsspC6Td",
        id: "cs_test_m6evdal6vsspC6Td",
        livemode: false,
        metadata: { bringinEmail: "[email protected]", bringinUserId: "1" },
        modified: 1737971518938,
        object: "checkout_session",
        payments: [],
        status: "active",
        success_url:
          "https://dev-app.bringin.xyz/card-prepayment/payment/confirmation",
        title: "Bringin Debit Card Payment",
        title_description: "Please pay the amount to use Bringin Debit cards",
        transfers: [],
        ttl: 600,
        type: "FIXED",
        url: "https://checkout.tryspeed.com/pay/cs_test_m6evdal6vsspC6Td",
      },
    },
    event_type: "checkout_session.created",
    id: "evt_m6evdaojEfQ7OKRA",
    livemode: false,
    object: "events",
    request: { id: "OHbABrHBC7a3mM4uJkD" },
  }
  

Here is the code I implemented on JavaScript:

const crypto = require("crypto");

const webhookSecret = "wsec_/uRPG4raHiR9j5QA8W4x5nNV0j++1W1a";

const requiredSecret = webhookSecret.replace("wsec_", "");

const tempSecret = Buffer.from(requiredSecret, "base64");

const webhookSignature = "v1,9x6bMQzcYuQez5H8XUcB33+h1epvpbL9lb3N3+UD1V0=";

const realWebhookSignature = webhookSignature.split(",")[1];

const webhookTimestamp = "1737971815";

const webhookId = "msg_2sCtjU0EmlLQrxmwcxEoWsaxoE7";

const reqBody = JSON.stringify(_reqBody);

const signPayload = `${webhookId}.${webhookTimestamp}.${reqBody}`;

const hmac = crypto.createHmac("sha256", tempSecret);

hmac.update(signPayload, "utf8");

const signature = hmac.digest("base64");

if (signature === realWebhookSignature) {
  console.log("Matched!", { signature, realWebhookSignature });

Could you please confirm:

1. Is there anything wrong with how I’m constructing or validating the signature?
2. Can you verify if the signature matches on your end with these inputs?
3. How can we convert this code into JavaScript, are there any particular libraries we need to use? (If you want I can provide the JS implementation too)

Any guidance or clarification would be highly appreciated. Can you please reply to it sooner because we need this very urgently!

Reference to the docs: Verify Signature