#shadizx
glacial lagoon
spare musk
hello! did you update your webhook secret after switching to livemode (hosted endpoint)?
shy vessel
yeah so right now I am testing from localhost, and I updated my .env.local STRIPE_WEBHOOK_SECRET to be the Signing secret from my test hosted webhook
spare musk
i'm a bit confused
if you're testing from localhost and you're forwarding the webhooks using the Stripe CLI, then your signing secret should be from your Stripe CLI
shy vessel
no I'm not forwarding right now
spare musk
can you share how you're receiving the webhooks locally?
shy vessel
yeah it's kinda hard to explain
basically
I deployed my webhook to vercel, so right now the url that shows on the webhook page is something like https://www.myapp.com/api/webhooks/stripe
I then copied the signing secret for this and put it in my vercel env variable, and now I am trying to hit the endpoint but without rerouting it via cli, rather just hoping that it would trigger the prod endpoint
spare musk
i think you should try logging the webhook secret during runtime to ensure that you're using the correct secret first. In general, there's two common reasons why you get that error :
- wrong webhook secret
- the raw request body is not actually being passed into constructEvent
shy vessel
thanks alex
I just confirmed that it is logging the right webhook right now
like on dashboard.stripe.com/test/webhooks/webhookid i see the 400 bad request and it is showing my webhook secret that I logged, and it's the same as the signing secret of the webhook
event = await stripe.webhooks.constructEventAsync(
await req.text(),
req.headers.get("stripe-signature") as string,
env.STRIPE_WEBHOOK_SECRET,
undefined,
cryptoProvider
);
``` I'm suspicious of this bitme too. what guide did you follow for that section?
spare musk
req.text() doesn't look like it's the raw request body. What do you get if you log it?
shy vessel
trying that right now
I actually get an enriched request
I don't get why this works when forwarding locally but not on the hosted endpoint
spare musk
could be something to do with vercel (which unfortunately i'm not too familiar with). In any case though, it looks like you now know the reason, so it's a matter of figuring out how to get the raw request body
We have sample code here, but it's using ExpressJS : https://stripe.com/docs/webhooks/quickstart
shy vessel
wait what i'm confused
what do you mean that it's just how to get the request body?
I'll send you the request body that it's logging in dm
spare musk
maybe i misunderstood - when you said enriched request -> this means you're not getting the raw request body?
i've turned off DMs
shy vessel
oh okay
the request is something like:
req is {
"id": "id",
"object": "event",
"api_version": "2023-08-16",
"created": 1692673614,
"data": {
"object": {
"id": "id",
"object": "invoice",
"account_country": "CA",
that's not the raw request body
shy vessel
oo
spare musk
download the webhook sample from our quickstart
in Node, get it setup and run it
when you log the request.body (prior to contruct event), it'll log a buffer
shy vessel
I'm following this
and the body looks similar to what I showed above
also if what you're saying is true then it shouldn't be working in local host testing when using stripe cli
just got it to work
spare musk
ah, great! what was the issue actually?
spare musk
wrong secret?
spare musk
it happens sometimes, there's a lot of secrets to keep track of when you setup different endpoints
shy vessel
const body = await req.text();
try {
event = await stripe.webhooks.constructEventAsync(
body,
req.headers.get("stripe-signature") as string,
env.STRIPE_WEBHOOK_SECRET,
undefined,
cryptoProvider
);
body had to be outside
idek
spare musk
😆
sometimes it's really the smallest things that we don't expect that make a difference
shy vessel
you pointed out the body thing, comon take some credit