senthil - webhook secret | Stripe Developers | Page 1

brisk socket Apr 14, 2022, 3:35 PM

#

That is the endpoint signing secret. What are you trying to do?

#

those are two ways of describing the same thing

#

So i suspect you are looking for exactly that value

flat elm Apr 14, 2022, 3:38 PM

#

ok thanks for confirming. I was confused as it is called signing secret for some reason in the dashboard. So signing secret and end point secret are the same thing. Correct?

brisk socket Apr 14, 2022, 3:39 PM

#

Correct

flat elm Apr 14, 2022, 3:45 PM

#

Ok, thanks. Have another related question. When I run this code below:
$event = null;
try {
$event = \Stripe\Event::constructFrom(
json_decode($payload, true), $sig_header, $endpoint_secret
);
} catch(UnexpectedValueException $e) {
// Invalid payload
http_response_code(400);
exit();
} catch(\Stripe\Exception\SignatureVerificationException $e) {
// Invalid signature
http_response_code(400);
exit();
}

And pass an INVALID endpoint_secret. I still don't get an exception.

#

and FYI: $payload = @file_get_contents('php://input');

brisk socket Apr 14, 2022, 3:56 PM

#

Are you sure $endpoint_secret has the value you expect? Invalid secret suggests that might be missing or malformed. Are you getting the full value from your dashboard? There should not be any ... in the real value.

flat elm Apr 14, 2022, 4:15 PM

#

yes I put the ... for the chat. So the webhook suceeds and I get the payment info DESPITE putting in an incorrect secret!

#

am I missing something in the code. seems like the secret does NOT matter

#

which means someone else can send a fake one, and then that is a problem

tough eagle Apr 14, 2022, 4:16 PM

#

Hi there! Stepping in for @brisk socket, as they needed to step away. One moment to get caught up.

flat elm Apr 14, 2022, 4:16 PM

#

also I am in test mode

#

ok thanks

#senthil - webhook secret