NodeJs Signature generation failed

  • 20 July 2021
  • 4 replies

Hi everyone, 

I'm trying to build the signature using the shared secret and the payload sent by Typeform webhook but the resulted hash is never the same as the retrieved from the header.

I belive the problem is the request body format.
The Typeform documentation says that the body must be binary, so i parse the JSON object that my applications give me to a buffer before i apply the HMAC SHA-256 algorithm. I also tryed to use JSON.stringfy method after the previous step.

What am i doing wrong?


let payload = request.body
payload = Buffer.from(JSON.stringify(payload))
// payload = JSON.stringify(payload)
const base64BinaryHash = crypto.createHmac('sha256', secret).update(payload).digest('base64')
const finalHash = `sha256=${base64BinaryHash}`



Best answer by Nordin 20 July 2021, 16:06

View original

4 replies

Userlevel 5
Badge +3

Hello there,

This is Nordin from Tech support. I’ll copy and paste my reply from a post where the same issue has been reported for Ruby: 

Maybe you have a problem in your code, but before you go mad with that let me tell you that 95% of the webhook security encryption issues that are escalated to us are caused by testing with the wrong payload. 

In order for the script to work properly, regardless of the language you are using, you need to make sure you pass a real request->body to the algo instead of copying and pasting it from anywhere and storing it in a variable. 

That won’t work, believe me, when I joined Typeform I spent about 3 days modifying my 12 line script until I found out it was because I was using the wrong payload. :joy:  You can use something like Ngrok or Serveo to send it to your dev environment and I believe in most of the cases that will sort it out. 

Additionally in this post I will paste a working example here that our colleague Nico prepared for our Node users:!/tf-webhook-receiver?path=server.js%3A1%3A0

I hope that helps!

Hello Nordin!
I really appreciate your reply!
I believe we both are correct: the body format must be the problem.

But my system has one limitation i forgot to mention: it was build with AdonisJS framework. The routing process in this case is a little bit limited by this framework, so i am figuring out a workaround.


Userlevel 7
Badge +5

Let us know how the workaround goes, @GustavoBD !

Userlevel 1

I will create a new topic about this