Skip to main content

Python SHA-1 webhook verification


I want to make this post as I have spent the last day trying to understand why the X-Hub-Signature being sent in the header wasn’t matching the the HMAC signature that I was getting when converting the JSON body and Client Secret from the request.

If you are using Python, MAKE SURE YOU USE SEPARATORS IN THE JSON DUMP BEFORE ENCODING
Here is the method that worked for me:

  def authenticate_intercom_request(self,x_hub_sig):
    json_string = json.dumps(self.body, separators=(',', ':'))
    hashed = hmac.new(self.secret.encode('utf-8'), json_string.encode('utf-8'), sha1)
    return hmac.compare_digest(hashed.hexdigest(), x_hub_sig[5:])

Python by default will add chars in the body that will alter the returned value from Intercom, and without the separators listed above it will always fail.

 

0 replies

Be the first to reply!

Cookie policy

We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

 
Cookie settings