You mention in the Signed Notifications section in the webhooks docs (https://developers.intercom.com/building-apps/docs/webhook-model#section-signed-notifications that the X-Hub-Signature is a sha1 signature of the payload.body and the client secret.
Could you please confirm the order both strings are concatenated (payload.body + client_secret) or (client_secret + payload.body) before you pass through sha1()?
Although I've tried both options I'm yet to get a match, but before I look into the possibility of my payload body causing the issue I'd like to get confirmation on the order the two strings should be concatenated.
I'm attempting to pass the concatenated string through a sha1() method to do a string comparison with the header value from the request?
Is the usual method to confirm signature or is there something I've missed?
Best answer by Eric Fitz
View original
