#MagnusPedersen

Hi
What are the main difference between the two deployment ? are you using the correct webhook secret for each endpoint ?

I'm just going to add some notes here, I'm in the same room as OP.

So the two different Stripe components/clients in our backend is being instantiated with two different keys

@Injectable()
export class StripeService {
  private stripe_uk: Stripe;
  private stripe_scandi: Stripe;

  constructor(
  ) {
    this.stripe_uk = new Stripe(configService.get('STRIPE_UK_SECRET_KEY'), {
      apiVersion: '2022-11-15',
    });

    this.stripe_scandi = new Stripe(
      configService.get('STRIPE_SCANDI_SECRET_KEY'),
      {
        apiVersion: '2022-11-15',
      },
    );
  }

And the endpoint for the scandi/eu account is using the secret from the right account

  public async processScandiOrder(req, signature) {
    let event;

    try {
      event = this.stripe_scandi.webhooks.constructEvent(
        req.rawBody,
        signature,
        process.env.STRIPE_SCANDI_WEBHOOK_SECRET,
      );

It is in NodeJS/NestJS the backend is written in.

So you are using the same artifact/deployment with just two different endpoints ?

Spot on

And it works just fine when we are creating the checkout session. But the endpoint for the endpoint is failing to construct an event comming from the scandi account.

If the exactly same code is used both, one works fine and another not, that probably means a wrong webhooks secret is used.

You need to double check this.

@green island I think you are right. Can I ask where I should get the secret from?

Looking at our uk account and implementation does it not seem like the whsec.... we have in our backend is the same as the signing secret we can see on our stripe profile.

You can see the webhook secret in the uk dashboard account:
https://stripe.com/docs/webhooks/signatures#:~:text=Before you can verify signatures%2C you need to retrieve your endpoint’s secret from your Dashboard’s Webhooks settings. Select an endpoint that you want to obtain the secret for%2C then click the Click to reveal button.

But that key I can see there, is not the same as in our backend? The one in our backend is much longer?

Or the scandi one are.

That is the webhook client secret, that you need to use for env.STRIPE_SCANDI_WEBHOOK_SECRET

And that fails for some reason, remember that we have two stripe accounts. So we will still need to use the schandi account for the scandi webook.

You need to use the webhook account secret and the secret key of the same account

For live secret keys :
https://stripe.com/docs/keys#reveal-an-api-secret-key-live-mode

Exactly.

You need to make sure that you are using the correct webhook secret and secret key for each deployment

I tried to tear down the registered endpoint, recreated a new one, took the secret it gave me, and used it. And it worked!

But if I revisit the dashboard, webooks and look at the signing secret is it still not the same secret I got when I created the webhook?

Interesting, it should be as far as I know. I get the same one in my dashboard.

Trying to think of how to verify this so I can file a bug report if it is changing like that.

I just looked at both accounts we have and it is the same behaviour.
I should probably mention this is for test and dev.

not on a live instance of stripe.

Interesting. Would you mind sending me your account IDs? I will see if we can check in to this in your account logs and spot the bug

Sure, I will send a DM to you.

@cedar meteor can you confirm that you got the message?

@cedar meteor sorry for the delay here
Can you share the account IDs in the thread?

Those are safe to share

That was my next question 😄

This is the ID for our UK acc: acct_1G0Sl7HlWJIVzEKm
And for our scandi acc: acct_1IRaswLXt3D7veyw

Quick question, do both the secrets start with whsec_... ?

Yes, I will leave work now but I can answer any questions tomorrow.
The main difference is that the on given when a new hook is createad is longer than the one in the dashboard.