simonc | Stripe Developers | Page 1

dark cobaltBOT Feb 6, 2024, 3:52 PM

#

dense pebble Feb 6, 2024, 3:53 PM

#

Hi 👋 can you tell me more about your issue? (In the future please feel free to put your concern in your original post, it helps us help faster)

wind lily Feb 6, 2024, 3:53 PM

#

Hi, I created 2 endpoints with the same route

#

One for connect and one for account

#

For the Account, the status code is 204

#

And for the Connect, I have a 400 with: No signatures found matching the expected signature for payload. Are you passing the raw request body you received from Stripe? https://github.com/stripe/stripe-node#webhook-signing

GitHub

GitHub - stripe/stripe-node: Node.js library for the Stripe API.

Node.js library for the Stripe API. . Contribute to stripe/stripe-node development by creating an account on GitHub.

#

But I use the same route and the same signature

dense pebble Feb 6, 2024, 3:55 PM

#

The endpoints will have different signing secrets, you will need to ensure you're using the right one based on where the Event is coming from.

wind lily Feb 6, 2024, 3:56 PM

#

I use the same script and I get the signature from the request headers for both

dense pebble Feb 6, 2024, 3:56 PM

#

Does your script use the same signing secret regardless of which endpoint the Event is being delivered to?

wind lily Feb 6, 2024, 3:58 PM

#

I get the header stripe-signature when the webhook is triggered with a specific event

#

Do I have to do sthing different with Connect?

#

When I tested locally with a listener, everything were fine

dense pebble Feb 6, 2024, 3:59 PM

#

Sorry, I'm not asking about how you're getting the signature header, that approach should be the same. I'm asking whether you are using each webhook endpoints individual signing secret when doing signature verification for those different endpoints?

Each webhook endpiont will have its own signing secret, you will not be able to verify the signature from an Event sent to your Connect endpoint using the signing secret from your Account endpoint, you will need to use the Connect endpoint's signing secret.

wind lily Feb 6, 2024, 4:00 PM

#

Oh ok, I use the same secret then

#

Where could I find the webhook secret of Connect?

dense pebble Feb 6, 2024, 4:01 PM

#

On the page for that endpoint in your Stripe dashboard. You should be able to start here (for livemode, you'll need to flip the toggle for testmode):
https://dashboard.stripe.com/webhooks
and then click on the Connect endpoint. On that screen there should be a reveal button under a Signing secret label that you can use to reveal the signing secret for the endpoint.

Stripe Login | Sign in to the Stripe Dashboard

Sign in to the Stripe Dashboard to manage business payments and operations in your account. Manage payments and refunds, respond to disputes and more.

wind lily Feb 6, 2024, 4:02 PM

#

Yes indeed, thank you. HAve a good day and good luck for the support

dense pebble Feb 6, 2024, 4:06 PM

#

Any time, hope you have a great day as well!

wind lily Feb 6, 2024, 4:13 PM

#

Last question

#

How do I know if the webhook triggerd is from account or connect before I construct the event with the good signature?

dense pebble Feb 6, 2024, 4:15 PM

#

There isn't a great way to check that until you have the Event object, then you can check for the presence of a value in the account field which is exclusive to Connect Events:
https://stripe.com/docs/api/events/object#event_object-account

The Event object | Stripe API Reference

Complete reference documentation for the Stripe API. Includes code snippets and examples for our Python, Java, PHP, Node.js, Go, Ruby, and .NET libraries.

#

Otherwise I would recommend adjusting your endpoints so they each include a unique query param that you can use to identify which endpoint received the event.

wind lily Feb 6, 2024, 4:15 PM

#

Alright

#

I have to create another route for the specific webhook connect?

dense pebble Feb 6, 2024, 4:25 PM

#

No, I wouldn't think so, but I'm not familiar with the web framework you're using so I can't asnwer that definitively

#simonc