Webhook secret Authentication issue

  • 18 July 2021
  • 7 replies

I was creating a webhook for typeform in Ruby on Rails and it is working fine. I was trying to add authentication using the secret by following . I tried using exactly the same code given in the documentation but still the received and actual signatures are different. I tried verifying the payload & secret by converting it SHA-256 in an online encryptor and there the hash produced is same as what i get when doing the encryption in the code. the authorization token passed in the typeform request header is wrong. Can someone help me here.



Best answer by Nordin 20 July 2021, 16:02

View original

7 replies

Userlevel 7
Badge +5

Hi @aswinvb Thanks for stopping by the community! Happy Monday. :grinning: Do you mind sharing the code and setup you’re using? That’ll help me see better what’s happening. Thanks!

Hi @Liz, I created the secret token using ruby -rsecurerandom -e 'puts SecureRandom.hex(20)' and added it in the webhook configuration.

Following is the code that I added in our server:

    def authenticate_typeform
payload_body =
verify_signature(request.env['HTTP_TYPEFORM_SIGNATURE'], payload_body)

def verify_signature(received_signature, payload_body)
hash = OpenSSL::HMAC.digest('sha256'), GlobalConstant.typeform.secret, payload_body)
actual_signature = 'sha256=' + Base64.strict_encode64(hash)
render json: { message: 'Authentication Error' }, status: :bad_request and
return unless Rack::Utils.secure_compare(actual_signature, received_signature)



Userlevel 7
Badge +5

Hi @aswinvb Since I’m not super familiar with Ruby, I’ve reached out to my colleagues to ask for some help! I’ll paste their responses here once I hear back. :) 

Thanks for the response @Liz 

Userlevel 5
Badge +3

Hello there,

This is Nordin from Tech support. Nice to be back for a bit in our lovely community.

I’m not a Ruby specialist and maybe you have a problem in your code, but before you go mad with that let me tell you that 95% of the webhook security encryption issues that are escalated to us are caused by testing with the wrong payload. 

In order for the script to work properly, regardless of the language you are using, you need to make sure you pass a real request->body to the algo instead of copying and pasting it from anywhere and storing it in a variable. 

That won’t work, believe me, when I joined Typeform I spent about 3 days modifying my 12 line script until I found out it was because I was using the wrong payload. :joy:  You can use something like Ngrok or Serveo to send it to you. dev environment and I believe in most of the cases that will sort it out. 

Thanks @Nordin, issue was what you said. When i tried directly by giving the endpoint in Typeform it is working. 

Thank you so much!

Userlevel 7
Badge +5

Yay! Glad that worked, @aswinvb . Thanks @Nordin for the help! :smiley: