Skip to main content

You mention in the Signed Notifications section in the webhooks docs (https://developers.intercom.com/building-apps/docs/webhook-model#section-signed-notifications that the X-Hub-Signature is a sha1 signature of the payload.body and the client secret.

 

Could you please confirm the order both strings are concatenated (payload.body + client_secret) or (client_secret + payload.body) before you pass through sha1()?

 

Although I've tried both options I'm yet to get a match, but before I look into the possibility of my payload body causing the issue I'd like to get confirmation on the order the two strings should be concatenated.

 

I'm attempting to pass the concatenated string through a sha1() method to do a string comparison with the header value from the request?

 

Is the usual method to confirm signature or is there something I've missed?

Hey @craig w11​, the secret and payload are not concatenated, it’s a HMAC algorithm as specified here, so the client secret is used as the secret key and the payload is what actually gets hashed.


Reply