Unable to verify webhook signature (NodeJS)

Hello everyone!

I have a question related Rapyd webhook. I want to verify the signature get from webhook.

The signature i calculate is always different from the webhook.

async verifyWebhookSignature(signatureReceived, salt, timestamp, body) {
    // webhook url path set in dashboard.
    const webhookUrlPath = RAPYD.WEBHOOK_URL;
    // access key from dashboard.
    const accessKey = RAPYD.ACCESS_KEY;
    // secret key from dashboard.
    const secretKey = RAPYD.SECRET_KEY;
    // stringified JSON string without whitespace
    const bodyString = JSON.stringify(body);

    // Signature
    const informationToSign = webhookUrlPath + salt + timestamp + accessKey + secretKey + bodyString;
    const signedData = CryptoJS.enc.Hex.stringify(CryptoJS.HmacSHA256(informationToSign, secretKey));
    const finalSignature = CryptoJS.enc.Base64.stringify(CryptoJS.enc.Utf8.parse(signedData));

    // If the finalSignature is equal to signature received, return true
    if (finalSignature == signatureReceived) return true;

    return false;
1 Like

Hope this helps.

function sign(method, urlPath, salt, timestamp, body) {
    try {
        let bodyString = "";
        if (body) {
            bodyString = JSON.stringify(body);
            bodyString = bodyString == "{}" ? "" : bodyString;

        let toSign =
            method.toLowerCase() +
            urlPath +
            salt +
            timestamp +
            accessKey +
            secretKey +
        log && console.log(`toSign: ${toSign}`);

        let hash = crypto.createHmac("sha256", secretKey);
        const signature = Buffer.from(hash.digest("hex")).toString("base64");
        log && console.log(`signature: ${signature}`);

        return signature;
    } catch (error) {
        console.error("Error generating signature");
        throw error;

Thanks, but your solution here is only valid for creating a signature (which I don’t have a problem with)

Interested in the verification part for webhook signatures.

Yh sure, have you tried using raw body passed in without stringifying it.

getWebhookSignature(webhookUrl: string, saltHeader: string, timestampHeader: string, rawBody: string) {
    return (
        crypto.createHmac('sha256', this.secretKey)

And see if it matches the signature sent from from the webhook

you can also try to check how you are parsing the body…

same rules apply as the ones for the api requests.

Hey man, still doesn’t work :frowning:

Huhh. Ok, as stated by the Rapyd team, if it doesn’t work, try contacting them @


They should be able to respond to the above problem stated.

1 Like

Thanks for asking @eni4sure, and thanks for your help @Benrobo.

I would definitely reach out to support.

In the meantime you can view some of these past topics about correcting the body string of the signature request to match the webhook.

Tried reaching the support but it requires me to login ? and I don’t know where to signup.

Yes I’ve seen this, it’s implemented in PHP.
Though, I’ve tried following the instructions for JS but it still doesn’t work!

Thanks, it’s in PHP, but the issue may be the same with the spacing in the body string.

Here is also a helpful video by @isaac

You can use your Client Portal login for the support login, not to the Developer Community Forum.

I’ve checked the body and parsed it via JSON.stringify(body) to remove extra space. Still no solution :frowning: