IDEN
← Troubleshooting
Webhooks

Invalid signature

Symptoms

  • HMAC verification fails
  • Payload rejected as untrusted

Likely causes

  • Body parsed before hashing (not raw)
  • Wrong signing secret
  • Encoding mismatch

How to fix

  • Hash the raw body exactly as received
  • Use the correct signing secret
  • Use `timingSafeEqual`