Anyone free to help troubleshoot this signature mismatch on our GC webhooks. i’m building a fastapi service to handle the eventbridge style notifications but the crypto check keeps failing.
the docs say: “Verify the signature by computing HMAC-SHA256 of the raw body using your shared secret.” i’m doing exactly that but getting a false positive on every request.
here is the snippet:
import hmac
import hashlib
def verify_signature(payload, signature, secret):
computed = hmac.new(secret.encode(), payload, hashlib.sha256).hexdigest()
return hmac.compare_digest(computed, signature)
the issue seems to be encoding. the docs mention the payload should be the “raw request body” but starlette/fastapi decodes it to utf-8 before my handler sees it. if i try to re-encode it i get a different hash.
is there a way to access the raw bytes in fastapi? or am i missing a step in the header parsing? the x-genesys-signature header comes through fine. just the hash doesn’t match.
also, should i be stripping newlines? the docs don’t say. feeling stuck on this crypto bit.
Make sure you’re capturing the raw body before your framework touches it. i’ve seen this exact issue with FastAPI and Flask where the request object parses the JSON payload immediately, stripping out the original bytes or altering the encoding. if you hash the parsed dictionary instead of the raw string, the signature won’t match. you need to intercept the data at the lowest level possible. here is how i handle it in my gRPC sidecar that ingests these webhooks before pushing to the event stream:
- Disable automatic body parsing in the middleware.
- Read
request.data or request.get_data() directly.
- Compute HMAC-SHA256 using your shared secret from the webhook config.
import hmac
import hashlib
def verify_signature(request_body: bytes, secret: str, signature: str) -> bool:
# secret must be bytes
signing_key = secret.encode('utf-8')
# compute hmac of the raw bytes
computed_hmac = hmac.new(
signing_key,
request_body,
hashlib.sha256
).hexdigest()
# constant time comparison to prevent timing attacks
return hmac.compare_digest(computed_hmac, signature)
the header name is usually X-Genesys-Signature or similar, depending on your webhook version. ensure you aren’t trimming whitespace from the payload either. sometimes network proxies add newlines. if that fails, log the computed_hmac and the incoming signature side-by-side. it’s usually a simple character mismatch. i run this through a service mesh in Singapore, so latency isn’t an issue, but the crypto check is strict. don’t forget to rotate your secrets if you’re using old ones.
Have you tried capturing the raw buffer before FastAPI’s dependency injection pipeline parses it into a Pydantic model?
the docs say: “Verify the signature by computing HMAC-SHA256 of the raw body using your shared secret.” i’m doing exactly that but getting a false positive on every request.
The issue is almost certainly that by the time your route handler receives the request object, FastAPI has already consumed the body stream to validate your input models. The request.body() call in a standard handler often returns an empty byte string or a cached version that doesn’t match the original wire format. You need to intercept the stream at the very start of the middleware layer.
In my Electron desktop app, I handle similar crypto checks by grabbing the raw Buffer from the HTTP request object before any JSON.parse happens. For Python/FastAPI, you’ll want to use a middleware that reads request.stream directly. Here is the pattern that works for me:
import hmac
import hashlib
from fastapi import FastAPI, Request
from starlette.middleware.base import BaseHTTPMiddleware
app = FastAPI()
class WebhookVerificationMiddleware(BaseHTTPMiddleware):
async def dispatch(self, request: Request, call_next):
# Read the raw body bytes immediately
body_bytes = await request.body()
# Reconstruct the request with the body for downstream handlers
request._body = body_bytes
signature = request.headers.get("x-genesys-signature")
secret = "your_shared_secret_key"
# Compute HMAC-SHA256
expected_signature = hmac.new(
secret.encode('utf-8'),
body_bytes,
hashlib.sha256
).hexdigest()
if not hmac.compare_digest(signature, expected_signature):
return JSONResponse(status_code=403, content={"error": "Invalid signature"})
return await call_next(request)
app.add_middleware(WebhookVerificationMiddleware)
Make sure you aren’t logging the body before this check either, as some logging frameworks might trigger a read that exhausts the stream. Also, check if your webhook secret has trailing whitespace in your environment variables. That’s bitten me twice in production.