Webhook V3.0 Signature Verfication

abinaya.muthusamy · November 14, 2022, 4:42pm

Hello, Im new to pagerduty and have a question about Pagerduty signature verifictaion.

https://developer.pagerduty.com/docs/ZG9jOjExMDI5NTkz-verifying-signatures .
In this document, its mentioned, one needs to compute SHA-256 using the provided secret on the " json payload".

Im confused about whether to include header or convert to different format like plain text and so on. When i have checked online HMAC Generator, the computed output hash value was never in match with the payload signature.

Could you please guide how to do verification? Linking an old topic as helpful article [https://community.pagerduty.com/forum/t/how-do-we-verify-webhook-v3-signatures-current-documentation-outdated/3447]

Preocts · November 15, 2022, 10:04pm

Hey there,

The dev documents have three examples in JS, Python, and Go that might help you answer your questions here:

https://developer.pagerduty.com/docs/ZG9jOjExMDI5NTkz-verifying-signatures#examples-of-webhooks-signing

Pull the signature key from the header (remember to remove the v1= prefeix)
You are encoding the entire payload body as is, not including the headers.

Note: There can be more than one signature in the header so be sure you compare against all the v1= signatures for a match.