Hi there!

How do you access the raw body of the payload?

const sig = request.headers['stripe-signature'];

const webhookSecret = process.env.STRIPE_WEBHOOK_SECRET; let event; try { event = stripe.webhooks.constructEvent(request.body, sig, webhookSecret); } catch (err) { response.status(400).send(Webhook Error: ${err.message}); re

stripe.webhooks.constructEvent(request.body, sig, webhookSecret);

Hello 👋
Taking over as soma needs to step away soon

Hi @quartz pine

Have you double checked your webhook secret? There are typically two reasons folks see this error

Either the webhook secret is incorrect OR the request.body gets parsed before constructEvent runs

Can you try priting request.body after you define webhookSecret constant and see if you're getting raw data back OR json?

Ok checking

Here is the request.body and webhooksecret.

<Buffer 7b 0a 20 20 22 69 64 22 3a 20 22 65 76 74 5f 31 4d 77 33 51 56 4b 47 53 69 38 34 42 65 64 47 45 50 70 6d 52 69 4e 47 22 2c 0a 20 20 22 6f 62 6a 65 63 ... 845 more bytes>

whsec_2xxxxxxxxxxxxx

Gotcha. So the webhook secret is accurate right?
You're not running Stripe CLI either?

For this one, I am running the stripe CLI.

And yes the webhook secret is accurate.

Stripe CLI has a diff webhook secret than the one you see on your dashboard hence double checking..

Umm, ok

it is usually printed in the log when you run stripe listen

Yes, correct. I was using the webhook client from the CLI. I update with the one from the stripe dashboard, but still i am getting the same webhook error.

How exactly are you triggering these events?

are you using stripe trigger in the CLI?

I am subscribing or calling stripe checkout with a subscription mode from my frontend app. And that trigger checkout.session.complete webhook event.

does the following code looks correct for you?

app.use((req, res, next) => {
if (req.originsalUrl === '/api/stripe/webhook') {
next();
} else {
express.json()(req, res, next);
}
});

Gotcha. hmm interesting..
looks fine but typically we just recommend sending the request directly to the endpoint rather than via a middleware.

Curious if you see a different behavior if you comment out the middleware

We have a node/express example here
https://stripe.com/docs/webhooks/quickstart

Yeah, I did copy-paste this code. If i comment out the middleware my /create-subscription-checkout-session API route will not work, because it needs the body to be parsed to a JSON object.

you can do something like

app.post('/checkout-session', express.json({type: 'application/json'}) OR something similar which parses the body when the route is hit

Ok checking that.

You can also do something like
app.use( "/checkout-session",express.json(...))

Umm 🥲, I am still getting the same error. I remove the JSON parser middleware and add express.json({type: 'application/json'}) for all the other api routes except for the /webhook API.

router.post(
'/create-subscription-checkout-session',
express.json({ type: 'application/json' }),....)

router.post(
'/webhook',
express.raw({ type: 'application/json' }),)

And the other routes are working fine?

try following for /webhook route

  '/webhook',
  express.raw({ type: '*/*' }),)```

Yes, the other routes are working.

Ok, will try the second one.

maybe if useful the request signature is the following.
request.headers['stripe-signature']

"t=1681308448,v1=e1feb23b3975270e9852cbdcb369b77a8ce0e353562ff8109e88a45d6ab2ec5c,v0=2e1cdfcbf394ab9a7cad88848e40df561a305c10a91276dcb72483c115324b9f"

I don't think signature is the issue. It's either the webhook secret or the request body. Also the request body seems fine so I am wondering if it really is just the webhook secret.

Since you're creating a checkout session and confirming it manually, The webhook secret that you use in your code should come from your dashboard Developers > webhooks > webhook endpoint > signing secret
https://dashboard.stripe.com/test/webhooks

Ok thanks @quartz pine