Skip to main content

I want to make this post as I have spent the last day trying to understand why the X-Hub-Signature being sent in the header wasn’t matching the the HMAC signature that I was getting when converting the JSON body and Client Secret from the request.

If you are using Python, MAKE SURE YOU USE SEPARATORS IN THE JSON DUMP BEFORE ENCODING
Here is the method that worked for me:

  def authenticate_intercom_request(self,x_hub_sig):
json_string = json.dumps(self.body, separators=(',', ':'))
hashed = hmac.new(self.secret.encode('utf-8'), json_string.encode('utf-8'), sha1)
return hmac.compare_digest(hashed.hexdigest(), x_hub_sigb5:])

Python by default will add chars in the body that will alter the returned value from Intercom, and without the separators listed above it will always fail.

 

Hey ​@Achaias Haycock 👍
 

Thanks for sharing your experience! You're absolutely right—JSON formatting inconsistencies can cause the X-Hub-Signature to not match the HMAC signature when verifying Intercom webhooks. This is a common issue when working with Python’s json.dumps(), as it introduces default whitespace formatting, altering the signature.

Your solution of using separators=(',', ':') in json.dumps() ensures that the JSON structure matches the exact format used by Intercom when calculating the signature.

Great work and thanks so much for contributing to our community with such an important tip 🧠 

 


Reply