Skip to main content
Sticky

Python SHA-1 webhook verification

  • February 9, 2025
  • 1 reply
  • 17 views

I want to make this post as I have spent the last day trying to understand why the X-Hub-Signature being sent in the header wasn’t matching the the HMAC signature that I was getting when converting the JSON body and Client Secret from the request.

If you are using Python, MAKE SURE YOU USE SEPARATORS IN THE JSON DUMP BEFORE ENCODING
Here is the method that worked for me:

  def authenticate_intercom_request(self,x_hub_sig):
    json_string = json.dumps(self.body, separators=(',', ':'))
    hashed = hmac.new(self.secret.encode('utf-8'), json_string.encode('utf-8'), sha1)
    return hmac.compare_digest(hashed.hexdigest(), x_hub_sig[5:])

Python by default will add chars in the body that will alter the returned value from Intercom, and without the separators listed above it will always fail.

 

1 reply

Paul Byrne
Intercom Team
Forum|alt.badge.img
  • Intercom Team
  • 7 replies
  • February 16, 2025

Hey ​@Achaias Haycock 👍
 

Thanks for sharing your experience! You're absolutely right—JSON formatting inconsistencies can cause the X-Hub-Signature to not match the HMAC signature when verifying Intercom webhooks. This is a common issue when working with Python’s json.dumps(), as it introduces default whitespace formatting, altering the signature.

Your solution of using separators=(',', ':') in json.dumps() ensures that the JSON structure matches the exact format used by Intercom when calculating the signature.

Great work and thanks so much for contributing to our community with such an important tip 🧠 

 


Reply


Cookie policy

We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

 
Cookie settings