#heildever-webhook-signature

Hello! We'll be with you shortly. Below are links to other discussions we've had with you in the past week in case you want to review that information. If your question is related to one of these previous discussions, please provide a comprehensive summary of the current state and what you need help with now. We help many users simultaneously, so a summary allows us to resolve your issue as soon as possible.

• heildever, 6 days ago, 42 messages

Hello! Which one of our SDKs are you using?

Python

stripe.WebhookSignature.verify_header(

Passing as stripe.WebhookSignature.verify_header( json.dumps(json.loads(request.data), separators=(",", ":")), signature, "whsec_blabla", )

Are are you doing something related to stripe apps?

and I believe that's python, right?

Yes

For both

Right off the path, I'm worried json.dumps is likely not going to work because it's not going to exactly match the payload we send to you. You can look at what our general webhook verification docs recommend to get a better idea: https://stripe.com/docs/webhooks#verify-official-libraries. We're taking the raw payload as-is with absolutely no modifications

Uh huh, I tried passing the raw bytes data

How'd you try passing the raw bytes

Well my request.data object is <class 'bytes'>

Did you log/print it to confirm it's exactly what you'd expect?

Yup it matches what I see in the dashboard

Its a a byte string so it looks like '{\n "id": "evt_1OhYzwIfT7kSd",\n "object": "event",\n "api_version": "2017-12-14",\n "created": 1707404084,\n

Wait okay let's pause here for one second - are you trying to verify the signature for a webhook endpoint, or for verifying signed requests for stripe apps? The initial code you sent is using verify_header with a webhook secret (whsec_123) which doesn't make sense since verify_header is someting that's specifically for stripe apps - it wouldn't be used for webhook event signature verification

I have verified signed requests for the app, now I'm trying to verify the webhook signature

Yes, so the whsec_123 one is the one I'm trying to get to work

Just wanted to mention what I had to do previously for the signed requests

Since its a similar implementation

Gotcha - if you're trying to do signature verification for your webhook you need to be using stripe.Webhook.construct_event (see https://stripe.com/docs/webhooks#verify-official-libraries)

Also what happens if you change your code to do this:

            request.data,
            signature,
            "whsec_blabla",
        )

I get an stripe.error.SignatureVerificationError: No signatures found matching the expected signature for payload

Are you testing locally with the CLI? You're using the webhook secret you get from the CLI output and not the dashboard, right?

I'm using the secret I took from the dashboard

And I am sending events on dashboard to my local using ngrok

we_1OhYzeIfT7kSd6A4efdVm6Bk

Gotcha, so you're not using the CLI at all then

Nope

Oh one sec

Looks like stripe.Webhook.construct_event produces a different outcome

Huh so weird

construct_event doesnt throw invalid signature

How? I have no clue

Ah ``` if hasattr(payload, "decode"):
payload = payload.decode("utf-8")

Ah, so you hadn't switched to construct_event yet

Yeah, they're meant for two different things so I'm not surprised it failed when you were still using verify_header

AGH! Sorry In my earlier codeblock that I sent you I still had it using verify_header which probably threw you off - sorry about that

No worries

I got blocked finally

Thanks for your help

👍 glad we culd clear that up!

heildever-webhook-signature