#webhook validation

Common causes for sudden “Invalid signature” even when the secret looks correct:

• Wrong environment secret

  • Test vs Live have different webhook secrets
  • Make sure the event you’re receiving matches the secret (no cross-env mix)

• Raw body mismatch (very common)

  • Signature must be computed on the exact raw request body
  • If you’re using JSON parsers (Express, Fastify, etc.), they may mutate it
  • Fix: capture rawBody before parsing

• Header mismatch

  • Ensure you’re reading the correct signature header (case-sensitive in some setups)
  • Also confirm you’re not trimming or modifying it

• Secret rotated

  • If the webhook was edited/recreated, the secret may have changed silently
  • Re-copy from dashboard and redeploy

• Encoding issues

  • Ensure UTF-8 consistency
  • No implicit string conversions before verification

• Multiple webhooks

  • If you have more than one endpoint, make sure you’re using the correct secret per endpoint

Quick debug steps

• Log:
  • Raw body (as string)
  • Signature header
  • Secret used
• Recompute signature manually and compare
• Temporarily disable body parsing middleware

If this started “recently” without code changes, the most likely causes are:

• Secret rotation
• Environment mix-up (test vs live)
• Middleware affecting raw body

Helpful Links:

• https://docs.dodopayments.com/webhooks/overview
• https://docs.dodopayments.com/webhooks/signature-validation

Hey @cinder flame, We have limited availability over weekends, but rest assured we'll get back to you as soon as possible!

Could you please share your Dodo Payments initializer code?