Webhooks: generated signatures are not matching with Proposed signatures

I’m trying to authenticvalidate webhooks in PHP following this guide https://developers.dwolla.com/guides/webhooks/validating-webhooks#step-3-validating-webhooks.

The generated signature is not matching the proposed signature from Dwolla

Here is the code snippet for my code:
public function verify_gateway_signature($proposedSignature, $payloadBody)
$signature = hash_hmac(‘sha256’, $payloadBody, $this->webhook_secret);
Logger::info('GeneratedSignature: ’ . $signature);
return [‘generated_signature’ => $signature, ‘is_valid’ => $signature == $proposedSignature];

And reading the proposed signature from headers:

Hi Brijesh! Would you be able to share your accountID or your Webhook subscription ID?
It is possible that you may have multiple Webhook subscriptions and that you may be comparing the signature of the webhook sent for subscription A with the one you set for subscription B. Again, just a speculation that I thought we’d confirm is not the case before diving deep!

Hi Shreya,

Thanks for getting back. I found the issue and it was due to the escaped characters when converting Dwolla payload to string. I was able to fix it by encoding Dwolla payload to string without escaping “/”.

Thanks again.

Hi Brijesh – glad you were able to find that out! Thanks for posting an update! :slight_smile:

1 Like