#red-webhook-signature

red-webhook-signature

👋 each webhook endpoint has its own secret (and it's completely different from the API key itself). You mentioned you use the same URL for both so I'm not fully following.

Yes each endpoint has it's own key. So I forgot to say I check the different endpoint key depending on live and test mode and assign it to the stripeWebHookKey variable.

And what I am checking for is what is in the data but then it fails.

What is the exact error you get?

'No signatures found matching the expected signature for payload. Are you passing the raw request body you received from Stripe? https://github.com/stripe/stripe-node#webhook-signing

And I am passing the raw data. Using the same code as I used for my regular non-connect webhooks and they work.

Okay so you have four separate endpoints?

Yes.

The two for the regular calls go to a different address

Then the two for connect go to the same address

While I am testing this is the address that I have for the connect:

https://tdswhitetest.loca.lt/whitelabel/api/stripeWebhook

It will eventually be :

https://truednastory.com/whitelabel/api/stripeWebhook

Do you have an Event id I can look at?

"evt_1OLpijKkx2VqtUnIshAV77zz"

actually that is not the correct one

Here is the correct one:

"evt_1OMR4VFbwp83LLdU9DGMfs57"

Okay so are you using the secret of your Live Connect WebhookEndpoint?

Because the Event is sent to the Live endpoint right now

They are pointing to the same place. Live and test mode will be pointing to the same address. Then depending on whether in Live or Test mode I will use the correct keys. Because our whitelabel companies will be able to test.

yeah okay so that's the problem

Try the secret of the Live endpoint first let me know if that works. If it works I'll explain why

Ok I will try. Give me a few minutes.

sure thing

A question: Do I use the different Stripe key for Live and Test modes?

the API key is completely irrelevant to verifying the signature of an Event

Ok good to know

Ok here is the new event and web hook signature that i was looking for and it still failed

Web hook secret:
we_1OLLGDHDu6PdMoNba31ARUbS

Event:
"evt_1OMaD2Fbwp83LLdUiE1ABjin"

My code in a nutshell:

  const sig = req.headers['stripe-signature'];
  const rawBody = req.rawBody;

    let stripeWebHookKey;

    config.get('stripe.webHookSecretLocalTest');
    try {
            stripeWebHookKey = config.get('stripe.webHookSecret');
            event = stripe.webhooks.constructEvent(rawBody, sig, stripeWebHookKey);
    } catch(err){}

we_1OLLGDHDu6PdMoNba31ARUbS```
that's the **WebhookEndpoint id**

don't share the real secret but can you confirm that you use the secret for that endpoint?

I understand now. Let me check

So am I correct in that the test mode and live mode callbacks will go to the live mode endpoint?

For the Connect WebhookEndpoint then yes, it's an old quirk in our API design where Test and Live Events both go to the Live WebhookEndpoint

That's why we usually recommend having different URLs for each or at the very least some query parameter to distinguish like https://example.com/webhook?type=account&mode=live

That will be just great for me. And it works now. Thanks for your help

Sure thing!

I check for the live and test modes in the structure and use the correct stripe key

sure but that won't work here since Live and Test mode Events are sent to the Live enpoint.

That is fine. I am talking when I process the event. In the object it will tell me the livemode.

So when I need to call Stripe I use the correct key for the stripe calls.

you aren't really understanding what I am saying though

The Event you get will have livemode: false but be sent to your Live WebhookEndpoint

Correct and I want both to be sent there.

Thanks again for your help.