Hash verification issue

Hi All,

We’ve been seeing alternately failing and succeeding hash verifications in our webhook listener. I didn’t understand how verification could be working and not working with the same code until I stumbled on successive notifications for the same event where the notification body is different but the ‘x-request-signature-sha-256’ value is the same. For events that succeed we get timestamp and created values that have 3 digits of millisecond “2019-10-02T18:44:44.520Z”. For those that don’t we get an identical event body except the time values have only 2 digits of millisecond - “2019-10-02T18:44:44.52Z”. Has anyone seen this or solved it? This is happening in the sandbox but it’s making us uncomfortable since we rely pretty heavily on our webhook.


Hi @ddevogel, That definitely seems a bit strange. Do you have a few examples of the raw webhook request payloads that you could reply back with to help us debug further?

Do you happen to have multiple webhook subscriptions setup on the same consumer application or on a different application? I’ve seen this trip some people up as they’ll receive the same event twice but they belong to different apps.

Thanks @spencer. Sorry, I should have clarified. We only have the one unpaused subscription. I believe the retries are because we return a 400 on the first hash failure and Dwolla helpfully keeps trying to send the notification. The second send has the timestamps formatted differently/correctly and that verify works.

[Edit] Here are the examples. Note the timestamp diffs.

This instance failed the hash verification.


This one succeeded.


Hi @ddevogel, sorry for the delay in response. This is very strange so I’m still doing some digging in our logs to figure out what could be going on. It seems like you have multiple subscriptions setup and are receiving the same event on both subscriptions, however it looks like all webhook subscriptions you created have been deleted. Are you still receiving this behavior?

Hi Spencer,

I just did a webhooks query and I only get this one back {id: 117862fe-b096-402c-8738-01b80364bc80}. We’ve only gotten a few events since the last failure but for now, things look good. All those hash verifies succeeded. It seemed pretty clear on the earlier failures that with different body(s) and the same hash that one or the other would have to fail but that doesn’t appear to be happening right now/any more. I’ll keep you posted if I see the error again. Thanks.


Sounds great, please do let us know if you encounter anything unexpected again! :slight_smile: