#meet_webhooks

👋 Welcome to your new thread!

⏲️ We'll be here soon! Typically we respond in a few minutes, but sometimes we might take a bit longer if the server is busy or if you have a particularly tricky question.

⏱️ We close idle threads, which makes them read-only. Once a thread is closed it won't be reopened, but you can always start a new thread if you have another question.

🔗 This thread will always be available, even after it's closed. You can find it again using Discord's search, or you can save this link: https://discord.com/channels/841573134531821608/1364108918564978729

📝 Have more to share? Add more details, code, screenshots, videos, etc. below.

Hi! Looking into your query!

This webhook, we_1RGZBLQwpOr5RFOo5EVFDbsd, has been deleted.

Is this the correct one you're looking at?

Sorted i have added new account and now it is working can you help with the signature verification the manual signature verification

i am trying to do it but as soon as i generate my signature it is not the same as it comes in signature header

both are different

i can use the stripe library due to some project constraints i want to use the manual webhook verification

if you some sample code of that it would be helpful for me

i can share my implementation if want

Have you had a chance to read this: https://docs.stripe.com/webhooks?verify=verify-manually?

This is another helpful doc: https://docs.stripe.com/webhooks/signature

yes i have follwed the same steps

still i am not able to find out the issue

do you mind looking at my implementation

Sure, could you let me know step by step how you are doing the manual verification?

Here is my code and this is webhook id : we_1RGZSZJbnswIoZhAaipDjAOb

So firstly i extracted the t= which is timestamp then extracted v1 from signature header of webhook then created a signed payload using timestamp.body and using hmac sha256 signed payload as message and webhook secret as key i generated a code and compared with the header v1

Let me know if anything else needs to be done from my end or i am making some mistake

This is what is received

t=1745300104,v1=ac1c19b7d43369efe0eb85658bd4f0c49ea586b780f4a2fc643c79bde50d851f,v0=50c5fcaee187b61a92181c61be60b261e1343eead07703b0c8ec1446559429a0

and my code generated: 4a57c216f9c0577f58840e9e153773ea693f8bec3684c774be1d4c5dadf86ed9

Looking into it!

thank you so much it will really help me

The payload which i am using

Can you try without JSON.stringify and just pass the actual JSON payload?

ok

Generated : a7398ab73714fa7d7ed7a436558909668054915d325a611ee4189f5124aafc83
Expected (which was received in Header): ac1c19b7d43369efe0eb85658bd4f0c49ea586b780f4a2fc643c79bde50d851f

Still not correct

I have tried so many things and it is not helping thats why i came to you guys

can you help me with some sample code

and i can refer to that working code

Let me see if I can try on my end. Give me a moment.

sure thank you very much

Thank you waiting! I was able to get the link to our open source GitHub repo: https://github.com/stripe/stripe-node/blob/master/src/Webhooks.ts#L59. This code will show you how the verification is implemented.

this is library code and i want a manual verification sample

We don't have a specific code for manual verification. I would advise using our official libraries for it.

Actually we are directly integrating your apis and we can’t install your library due to the versioning and some other issues

can you help me doing this manual verification

As mentioned we don't have a manual verification sample. The library code provides details on how constructevent works. We would recommend though that you pass the raw request body as mentioned in docs.

ok

did you got chance to look into my implementation, if i am doing something wrong

that would help me solve this

You said you're using a different webhook endpoint. Do you use the new webhook secret for it?

yes

i have used the new one

still maual verification is not working

Please share the full webhook handler code.

public verifySignature({
payload,
header,
signingSecret,
}: {
payload: string;
header: string;
signingSecret: string;
}): boolean {
try {
if (!header) {
throw new Error('Missing Stripe-Signature header');
}

  const params = new URLSearchParams(header['stripe-signature'].replace(/,/g, '&'));
  const timestamp = params.get('t');
  const signature = params.get('v1');


  console.log("TimeStamp", timestamp);
  console.log("Signature V1", signature);
  console.log("Elements", header['stripe-signature']);


  if (!timestamp || !signature) {
    throw new Error('Invalid signature header format');
  }

  const signedPayload = `${timestamp}.${JSON.stringify(payload)}`;
  console.log("Signed Payload", signedPayload)
  const expectedSignature = createHmac('sha256', signingSecret)
  .update(signedPayload)
  .digest('hex');

  
  console.log("Expected Sign", expectedSignature)

  return expectedSignature === signature
} catch (err) {
  console.error('Signature verification error:', err.message);
  return false;
}

}

That's not the whole handler. Where does the payload come from exactly? What's the type of it?
If you need to stringily it, it might mean that it's a wrong type.

sorry i cant share the whole code due to some restriction but i can share you what i am passing in
I am passsing this JSON object as body that's why i am converting it to json.string

What do you mean by "I am passsing this JSON object as body"?
Are you sending a request to the webhook endpoint yourself?

not me exactly but the code is passing this JSON object as body to verify the signature

What variable type is req.body?

Could you please check it.

(@Req() request: Request, @Query() params: any, @Body() body: any, @Headers() headers: any):

We are using this body

You still haven't answered my question ☝️

@Body does the same req.body

answer

What is the type of the body in the request?

During runtime

Could you please check it?

JSON object

This is not a JavaScript type.

If you mean Object, then your webhook handler is not working correctly, as it must provide the raw request body - as a String or Buffer.

Ok let me check

Hey, taking over here. Let me know if there's any follow-up Qs I can answer!

the notifications which is coming from Stripe is sending us a payload object so we are converting it to string

HTTP requests don't send objects as payload. They're sending strings, that your web framework automatically converts to an object. You need to disable this behavior. Converting it back to a string won't work.