#thnkscj - webhook signature

Hello! Just starting a thread for you -- I'll review and respond as soon as I can 🙂

thanks

Hey there, you need to ensure you're using the raw request body, and using the correct signing secret

Can you share an example event ID you're testing?

payment_intent.created

I mean a specific event ID. Is this a hosted endpoint, local testing via CLI etc?

evt_123

its a hosted one

evt_3Kr6j3HanlZs58ak1X7utkqh

Is there any part of your express app setup that is deserializing json before that endpoint is configured?

eg, using bodyparser or express.json() at some earlier stage?

That will mutate the request body

Also you should log out your secret and ensure it has the expected content: whsec_XQ...d6vs

removing this fixed it thank you

Great!

(just be aware it might affect other code expecting deserialized payloads)

You can modify express.json() to exclude certain paths for fine control

Or, define your webhook route first then apply express.json() after that, so it only applies to all other requests not handled by /webhooks

Or you can conditionally preserve the raw body like you see here:
https://github.com/stripe-samples/accept-a-payment/blob/main/custom-payment-flow/server/node/server.js#L19-L26

Then use request.rawBody in your webhook endpoint