#OptimalSurprise-webhook

hi! hmm, if you're getting the error then I guess the configuration is not working

do you have more context on the type of webhook handler you're using, what language it's using and how you test it?

Using python currently

this is generally either that you are using the wrong whsec_xxx secret in your code, or you don't pass the exact raw incoming HTTP request body from the webhook to our library

we are using the correct signing secret

I can provide an event id if that work

can you share the exact code your webhook endpoint uses, and the evt_xxx ID of an event that is raising the error?

yes

evt_1LFHK5GgtGF4AgsOHfat6Fty

thanks, and the code?

stripe.Webhook.construct_event(
payload=await request.json(),
sig_header=STRIPE_WEBHOOK_SIGNATURE,
secret=Utils().webhook_secret,
)

I have checked that STRIPE_WEBHOOK_SIGNATURE is the correct signature

so one thing I notice immediately is you have this same URL in two different endpoints

i.e. you have a test mode endpoint and a livemode endpoint, with the same URL

in the code which endpoint's secret are you using? the test mode or the livemode one?

we have two environments, live and test mode

each has their own secrets, stripe webhook urls etc

yep, but you have the same URL, so how would your code know if it's getting an event from live or test mode?

what do you mean it's the same url?

that's not true though, you have https://staging-***********.app/v1/stripe-connect-webhook registered as both a test and a live endpoint

ah that looks wrong

I mean check https://dashboard.stripe.com/test/webhooks and https://dashboard.stripe.com/webhooks

i checked both links

one is staging-...

another is api.

Hi there 👋 jumping in as my teammate needed to step away, please bear with me while I catch up on the context here.

I see that you're passing request.json() in as the payload, does that mean you're modifying the payload into a json object before verifying the webhook signature?

yes you're correct

Gotcha, that's going to be a problem. That function is expecting the raw request body to be provided, so making any alterations to it will cause the signature verification to fail.

ah ok

what's the best way to do this?

with no alterations to begin with

That fluctuates depending on the framework/libraries that you're leveraging, and I'd recommend that you check the reference materials for those to determine how to pass an unaltered request body.

ok do you know where the python docs are without use of django?

the official docs only have django + python

If you're not using django, which web framework are you leveraging?

fastapi

Gotcha, so it'll be FastAPI's documentation that you want to reference. They're the framework that are structuring the requests you receive, so you'll need to figure out how to access the raw request body within their framework.