Skip to main content
Answered

How to use X-Hub-Signature in webhooks?

  • October 13, 2021
  • 1 reply
  • 1035 views

You mention in the Signed Notifications section in the webhooks docs (https://developers.intercom.com/building-apps/docs/webhook-model#section-signed-notifications that the X-Hub-Signature is a sha1 signature of the payload.body and the client secret.

 

Could you please confirm the order both strings are concatenated (payload.body + client_secret) or (client_secret + payload.body) before you pass through sha1()?

 

Although I've tried both options I'm yet to get a match, but before I look into the possibility of my payload body causing the issue I'd like to get confirmation on the order the two strings should be concatenated.

 

I'm attempting to pass the concatenated string through a sha1() method to do a string comparison with the header value from the request?

 

Is the usual method to confirm signature or is there something I've missed?

Best answer by Eric Fitz

Hey @craig w11​, the secret and payload are not concatenated, it’s a HMAC algorithm as specified here, so the client secret is used as the secret key and the payload is what actually gets hashed.

View original
Did this topic help you find an answer to your question?

1 reply

Eric Fitz
Employee
Forum|alt.badge.img+5
  • Employee
  • 1630 replies
  • Answer
  • October 15, 2021

Hey @craig w11​, the secret and payload are not concatenated, it’s a HMAC algorithm as specified here, so the client secret is used as the secret key and the payload is what actually gets hashed.


Reply


Cookie policy

We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

 
Cookie settings