Verifying webhook with signature and secret key | Community
Skip to main content

Verifying webhook with signature and secret key

  • December 17, 2021
  • 10 replies
  • 0 views
M

We have our webhook set up such that it makes a POST request to our internal API. We want to authenticate this request by verifying that it came from zendesk by following the documentation outlined here

 

We've setup the NodeJS verification example exactly as described, and pulled the webhook secret from a live webhook, and pulled live webhook invocation request headers for the timestamp and signature, exactly as described for testing our verification logic, and the signed values never match. We have also tried testing the webhook with the static test secret noted here.

 

  1. Could we get a list of the most common mistakes made when verifying webhook signatures?
  2. Do you have a python example of verifying webhook signatures that we could refer to?
  3. Would it be possible to set up a call to speak with a support specialist directly about the issues we're seeing?

      10 replies

      J
      • Jeff68
      • December 29, 2021

      Hi Meagan,

      Did you ever get this issue resolved? I am having a similar issue in java where the signature we calculate does not match.

      Gustavo18
      • Gustavo18
      • January 6, 2022
      Hi Jeff,
       
      Thanks for your response on the community post, it's much appreciated. 
       
      I'll be creating a support ticket, so keep an eye out on your emails, and we can go from there. 
       
      I look forward to troubleshooting this further in depth with you, speak soon!
      Harry22
      • Harry22
      • January 17, 2022

      For anyone looking for a solution in Python..

      https://gist.github.com/harryrobertwright/52103709160933d1d4f4b1f6649439e2

      Arvind12
      • Arvind12
      • April 22, 2022

      Figured it out. It was to do with the spacing on the json request. 

      The json payload must have one space before and after ":" and no other space or tabs anywhere else. See example below: 

      {"id" : "XXX", "amount" : "4567.89", "currency" : "aud", "reason" : "product_not_received"}

      The payload fields are not ordered and spaces not trimmed. Zendesk really should have taken care of simple things like this. 

      Andrea40
      • Andrea40
      • November 18, 2022

      We are having exactly the same issue using exactly the same framework/tools/language. Please advise what the solution to this issue was. 

      C
      • Christos13
      • December 9, 2022

      For anyone looking for a solution in PHP:

      https://github.com/cpazaras/zendesk-webhook-signature-verification-php

       

       

      Mitul
      • Mitul
      • March 8, 2023

      For anyone facing the issue in Java Springboot, make sure the format of your body payload setup in the zendesk trigger responsible for calling your webhook api matches identically with the Java object representing the request body. If your signature validation fails, check your spaces and indentation for your body during signature creation.

      Danilo16
      • Danilo16
      • June 29, 2023

      For PHP, you have to set the last parameter of hash_hmac, which is "binary", to true. Example code: https://gist.github.com/danilopolani/7add9e723636e4c9f3fdd06b8c945cc6

      Denis14
      • Denis14
      • August 18, 2023

      This should work for your Ruby on Rails app:

      # First calculate it (don't forget to set ZENDESK_WEBHOOK_SECRET env)
      sign = Base64.encode64(
        OpenSSL::HMAC.digest(
          'SHA256',
          ENV['ZENDESK_WEBHOOK_SECRET'], 
          request.headers['HTTP_X_ZENDESK_WEBHOOK_SIGNATURE_TIMESTAMP'] + request.body.read
        )
      ).strip

      # Then compare it with the one from request headers
      sign == request.headers['HTTP_X_ZENDESK_WEBHOOK_SIGNATURE']
      R
      • Ryan45
      • June 21, 2024

      I know it's an older thread, but I ran into a weird issue with message validation that doesn't seem to add up. I've created the webhook and verified that validation works when using the “Test Webhook” functionality. 

       

      However, I noticed when the webhook runs normally, message authentication fails. So I copied the body from the failed attempt, went back to “Test Webhook”, pasted the content into the message body, sent it, and message validation now works again. I've double checked that the secret I'm validating against is the correct one for this webhook. So it seems there is some difference between the two message bodies being posted. Any thoughts? 

      Terms & ConditionsCookie settingsAccessibility statement