#clash-webhook-signature

Hello! We'll be with you shortly. Below are links to other discussions we've had with you in the past week in case you want to review that information. If your question is related to one of these previous discussions, please provide a comprehensive summary of the current state and what you need help with now. We help many users simultaneously, so a summary allows us to resolve your issue as soon as possible.

• clashroyaleofficial, 1 hour ago, 12 messages
• clashroyaleofficial, 3 hours ago, 10 messages
• clashroyaleofficial, 3 hours ago, 11 messages

HI 👋

Yes webhook signature validation works in both Test and Live mode

However, the endpoint secret is different between Test and Live mode webhook endpoints and the CLI when using stripe listen

I got the endpoint secret from here:

is that correct?

I'm not sure what CLI is, but I'm fairly certain I'm not using it

all I have on my server is the stripe library from github

And the only errors you are receiving are in Test mode?

Well I haven't gone live yet

Is the webhook endpoint you are referring to created in Test mode?

My account is not fully activated, all I have is Test mode

Have you ever successfully validated webhook signatures?

No

I am using an integration almost identical to the one provided at https://docs.stripe.com/webhooks/quickstart

Almost

Can you copy the exact code shown in webhook.php and test with it?

My webhook endpoint isn't a standalone file, so it is structured differently. Would you like me to provide my code (filtered for security)?

No, I woud like you to validate that, if you just use checkout.php you can verify the signature of an event

Ok, it gave the same error, copying the code exactly, only swaping out my method for defining $stripeSecretKey and $endpoint_secret
I also added the following line to work with the github repo, and wordpress:

// Allows access to 
define( 'SHORTINIT', false );
require_once($_SERVER['DOCUMENT_ROOT'].'/wp-load.php');

//stripe library
require_once __DIR__ . '/../lib/stripe/stripe-php-13.11.0/init.php';

I echo'd $stripeSecretKey and $endpoint_secret to make sure they are defined properly, and they are

And is there anything happening to the payload? Is it transformed in any way?

Ok it actually did work, I just forgot to remove this line from webhook.php $endpoint_secret = 'whsec_...';

Okay great!

So it's a problem with my implementation, that's great progress

So now you have a working webhook signature verification implementation. So you should be able to compare the two files and identify the differences. Then test modifying each one to see which is causing the failure

Alright well, I mostly just moved a bunch of variables around ensuring they had global scope (my validation is performed in a function) and it works now. Thank you so much :)

I'm still not 100% convinced so I'll play around some more

As long as you keep one that is reliably successful that should give you a good template to work from. Webhook signature verification is a tricky subject so it helps to keep around one flow that you know works and can fall back on.