HMAC Signature Mismatch in Webhook Verification | Community
Skip to main content
Answered

HMAC Signature Mismatch in Webhook Verification

  • February 14, 2025
  • 1 reply
  • 52 views
H

We are trying to verify the HMAC-SHA256 signature for our webhook requests but consistently generate a different signature than the one sent in the typeform-signature header. We have ensured the following:

  • The raw request body is identical to what Typeform sends.
  • The secret key matches the one set in the webhook settings.
  • UTF-8 encoding is correctly applied.
  • We’ve tested multiple HMAC implementations (cryptocrypto-js, OpenSSL), all producing the same but incorrect signature.

Could you clarify if Typeform applies any transformations (e.g., JSON minification, normalisation) before signing the payload? We would greatly appreciate any insights on how we can match the expected signature.

Thanks,

Best answer by Harsh

Hi,

Typeform adds a trailing trailing newline character (\n)  signature calculation which may be causing the signature calculation problem.

You could also look into using the "fastify-raw-body" npm package to work with the raw body directly

View original

1 reply

H
Forum|alt.badge.img+4
  • Harsh
  • Socializer
  • 113 replies
  • Answer
  • February 16, 2025

Hi,

Typeform adds a trailing trailing newline character (\n)  signature calculation which may be causing the signature calculation problem.

You could also look into using the "fastify-raw-body" npm package to work with the raw body directly

We develop custom Typeform & VideoAsk solutions to help elevate your business. Reach out on farioconsulting.com
James
H
2 people like this
  • James
    James
  • H
    hananzubair

Reply


Still need help?

Don't be shy and ask the community.

Ask your question here!
Community T&Cs