#yairhaimo

Hm ok. And the api key and webhook secrets being logged are the different live ones correct?

And is this hosted on the same provider as the staging environment?

yes and yes. using Vercel and NextJS

checked a million times heh

Ok

Can you share the event id where you are seeing this?

evt_3N985HFlNL9g78Mq1KduU50P

Interesting. And absolutely nothing is different in your code that's deployed to live?

this too evt_3N95XeFlNL9g78Mq0ADnYxMZ (paymentIntent.succeeded)

Can you share an event that succeeded in test mode too?

sure, sec

ah, didnt log that since no error was thrown

the code is the same (branches are the same, just env vars are different)

sec, ill check the dashboard for the event id

evt_3N98IpFlNL9g78Mq0nu5M9f4

should i try rolling the production secret key and check again? since i can only see the last several characters in the dashboard and i cant compare 100%

You can try that yeah

nm, it works when i create the payment intent so the env var is correct

Make sure the webhook endpoint secret is the one ending in LBbT

And you're logging these in the webhook endpoint handler code?

yeah

i see the LBbT in the logs and i compared the whole value too

hmm, i see a difference in the sig header. in staging i have both v0 and v1 and in prod only v1

Staging - t=1684421002,v1=6b919870276b609916b4b709a3336ca8318dccf887281b3e963cdab71a115329,v0=1b785f9e90930d82d775b053b261d1aa74f09ec2b1eec00998e8a00bd9831d4b

Prod - t=1684421139,v1=7c3bdafdc2b680375d7d8710943684952a2838293f7c7ab0a3cbf64bca34b830

Oh - "Currently, the only valid live signature scheme is v1. To aid with testing, Stripe sends an additional signature with a fake v0 scheme, for test mode events."

Yep

Hm this is really weird then

If you're logging those env variables directly in the code block that's pulling them in, then you know those are the ones being used

And if the code is no different and the hosting provider is the same idk what could be wrong

Maybe try passing the api key and webhook secret directly

Only temporarily obviously

It's a longshot but I can try

Yeah I just don't know what else to suggest if you've triple checked everything is the same across envs

Is there anything different about the live deploy?

Any middleware?

Anything that could be mutating inbound request bodies?

Yeah, triple checked but ill check again. The only thing different (that i know of) is the environment keys.

I have a middleware that reroutes to /login if you dont have a session but:

1. its configured to not affect the /api directory
2. it doesnt change the request
3. if it did work, the api endpoint wouldnt have been triggered

Ok

Reason I ask is some platforms like AWS lambda slightly modify inbound request bodies

So wondering if there's any difference in the live deploy environment vs test for your cloud platform/hosting provider

Recommend logging the inbound request body in live + test mode to see if there's any noticeable differences

ok, i think i found the issue.
there was a newline at the end of the webhook key.
i feel ashamed!
testing it

Ah

Yeah that would definitely do it

its weird that it accepts that as a key when instantiating the Stripe library

confused me heh

No worries