Community Forum

Ask a Question
Back to All

Event webhook call digests not matching causing failed attempts

We are getting an issue on the webhook calls, where some requests are being authorized successfully and others not. We have determined that the issue occurs due to the request signature being passed in the request header from Root not matching the digest we generate on our end. This only happens sometimes, not constantly. We do have sample data if you need (not added due to sensitivity). On our end we consistently generate the digest in the same way for all incoming requests:

  1. We take the incoming JSON object and serialize it to a raw JSON string.
  2. We then create a HMACSHA1 with the webhook secret.
  3. We compute the hash of the HMACSHA1 with the request body string (step 1), and convert it to a lowercase hex string, which gives us our digest.
  4. We compare the digest to the request signature to determine if a request is Authorized.

This appears to be an issue with how the digests are being calculated when the calls are made from the Root back-end. This is happening in production often and in the sandbox much less so.

Any idea what this issue could be?