#zalt_webhooks

👋 Welcome to your new thread!

⏲️ We'll be here soon! Typically we respond in a few minutes, but sometimes we might take a bit longer if the server is busy or if you have a particularly tricky question.

⏱️ We close idle threads, which makes them read-only. Once a thread is closed it won't be reopened, but you can always start a new thread if you have another question.

🔗 This thread will always be available, even after it's closed. You can find it again using Discord's search, or you can save this link: https://discord.com/channels/841573134531821608/1227624729737953311

📝 Have more to share? Add more details, code, screenshots, videos, etc. below.

Hello, is this endpoint failing to receive any events sent to it?

And it sounds like you have other endpoints that are receiving these events successfully?

I don't have much knowledge on AWS and ECS specifically, but the things to check for webhook verification are that you have the right endpoint secret, are retrieving the HTTP request's headers correctly, and that you are passing the raw request body to the signature verification method

thanks for your answer @pallid axle. let me clarify the code works 100% locally. so there's no way the setup is broken. the endpoint secret is surely a valid point, i can confirm its set correctly. the signiture verifications failing most likely cause somerthing is modifying that request object. I'm sure ECS doesn't do that, it's on the LB who usually has the potential to alter the request. But i tried every options there to preserve original request header and body yet not working. now suspecting the SSL offloading could it be causing that failre or else I might have to change my clsuter to use HTTPS even internally, but I need someone to confirm that the cause so that I can give that a try.

The only header that should matter here is the Stripe-Signature header, as long as that and the webhook body are not modified you should be able to verify your signatures properly. Also definitely double check the webhook secret if you haven't already.

that's incorrect actually, if anything changes in the request obj will differ from the Stripe-Signature. but anyhow i solved the issue with a workaround of ignoring the sig verification step. im just fetching the data from the request directly. until Stripe include some docs to cover these cases especially on popular clouds like aws. thank anyway

I think grammar may have mixed things up there. I was also saying that if anything changes in the signature or body that will mess up the verification. I'll put in feedback about documenting how to avoid that for popular clouds