Webhook verification failing

We’ve been integrating the webhooks the last few weeks and so far all incoming requests have been verified successfully using the HMAC in the request header. Strangely enough the “order canceled” webhook can not be verified. I’ve confirmed this by using an external tool like Free HMAC-SHA256 Online Generator Tool | Devglan and even using the Python example from your docs. The HMAC in the request always seems to be different than what we’re computing.

Could someone confirm they’re seeing the same thing?

As the verification uses our API secret I’m not sure if I can share more information.

Hi @maarten_jacobs,
What is the shop name?

@Theresa Hi, my shop name is maarten_dev

Hi @maarten_jacobs
I ran some tests, and the order cancel is working as expected. Here are some things to remember when testing:
Always paste the post as plain text. I used webhook.site for my test, and when the information came through it was formatted by default. I unchecked any formatting and used the copy button.

All the different stores have different secret keys so you will want to test it with the other secret keys, and if it does not work, check it with the default.

Let me know if that helps. If not, we can work through private message as well.

Hi @Theresa

The point about different secret keys was the key! The default secret key produced the HMAC that’s present in the “order_canceled” webhook. However, that seems like a bug: the webhook is being delivered to maarten_dev but is using the secret key of default. All the other webhooks going to maarten_dev use the right secret key. Is there any reason for this discrepancy?

Regarding the formatting of output, that’s a good to check. I use ngrok locally, which has a “raw response”. So fortunately I didn’t have that issue this time.

1 Like

Hi, @maarten_jacobs,
This is great, I understand the issue you are having a bit better now. I will do a few tests to replicate the problem, and when that is complete run it through an engineering bug ticket.

1 Like

Do you have the request-id for the webhook_create mutation when you created the Cancel Order webhook?

@Theresa Yes, the request id is 6152ebbd2787ca89c6f17091

Thank you. I just wanted to make sure that you had the shop in there. I did not test with a shop initially, but I will now. If it does not match the shop when I try it, we can send it to engineering for review.

1 Like