Stripe .net "The signature for the webhook is not present in the Stripe-Signature header."

Asked 27/9, 2017 at 15:14 Answered 24/4 at 4:9

I am using Stripe.net SDK from NuGet. I always get the

The signature for the webhook is not present in the Stripe-Signature header.

exception from the StripeEventUtility.ConstructEvent method.

[HttpPost]
public void Test([FromBody] JObject incoming)
{
    var stripeEvent = StripeEventUtility.ConstructEvent(incoming.ToString(), Request.Headers["Stripe-Signature"], Constants.STRIPE_LISTENER_KEY);
}

The WebHook key is correct, the Request Header contains "Stripe-Signature" keys.

I correctly receive incoming data from the Webhook tester utility (using nGrok with Visual Studio).

the secureCompare method seems to be the culprit => StripeEventUtility.cs

I tried to manipulate the incoming data from Stripe (Jobject, string, serializing...). The payload signature may cause some problem.

Has anybody had the same problem?

Numbing answered 27/9, 2017 at 15:14 Comment(3)

Are you using the 'webhook' signing secret or the 'API' signing secret? What fixed it for me was switching from the API secret to the webhook one – Brickey 2/10, 2017 at 1:9

Yes I am using the Webhook secret key contained in Constants.STRIPE_LISTENER_KEY – Numbing 2/10, 2017 at 14:54

Did you ever get a solution to this? I have the same error and I am pretty sure I am using the correct secret – Piggyback 16/9, 2019 at 21:22

As per @Josh's comment, I received this same error

The signature for the webhook is not present in the Stripe-Signature header.

This was because I had incorrectly used the API secret (starting with sk_) to verify the HMAC on EventUtility.ConstructEvent.

Instead, Stripe WebHook payloads are signs with the Web Hook Signing Secret (starting with whsec_) as per the docs

The Web Hook Signing Secret can be obtained from the Developers -> WebHooks page:

Leap answered 15/11, 2018 at 14:29 Comment(1)

Comment from @Ameya: I received the same error even with valid Signing Key whsec_xxxxxx. The issue for me was that with ASP.NET Core 3.xxx versions synchronous operations are not allowed. So we have to construct the Stripe event with the following code.

using (var sr = new StreamReader(this.HttpContext.Request.Body))  {       json = await sr.ReadToEndAsync();  } var stripeEvent = Stripe.EventUtility.ConstructEvent(json, Request.Headers["Stripe-Signature"], this._stripeSigningSecret, 300, false);

– Leap 26/11, 2019 at 8:58

The error can also occur because you are using the secret from the Stripe dashboard. You need to use the temporary one generated by the stripe cli if you are using the CLI for testing.

To obtain it run this:

stripe listen --print-secret

Aquarelle answered 24/11, 2021 at 5:14 Comment(0)

I was also receiving the same exception message when I looked at it in the debugger but when I Console.WriteLine(e.Message); I received a different exception message.

Received event with API version 2020-08-27, but Stripe.net 40.5.0 expects API version 2022-08-01. We recommend that you create a WebhookEndpoint with this API version. Otherwise, you can disable this exception by passing throwOnApiVersionMismatch: false to Stripe.EventUtility.ParseEvent or Stripe.EventUtility.ConstructEvent, but be wary that objects may be incorrectly deserialized.

I guess your best bet is to set throwOnApiVersionMismatch to false;

EventUtility.ParseEvent(json, header, secret, throwOnApiVersionMismatch: false)

Divorcee answered 31/8, 2022 at 19:20 Comment(0)

Im not sure about reason of this, but Json readed from Request.Body has a little bit different structure than parsed with [FromBody] and Serialized to string.

Also, you need to remove [FromBody] JObject incoming because then Request.Body will be empty.

The solution you need is:

[HttpPost]
public void Test()
{
    string bodyStr = "";
    using (var rd = new System.IO.StreamReader(Request.Body))
      {
          bodyStr = await rd.ReadToEndAsync();
      }
    var stripeEvent = StripeEventUtility.ConstructEvent(bodyStr, Request.Headers["Stripe-Signature"], Constants.STRIPE_LISTENER_KEY);
}

Mafaldamafeking answered 11/1, 2021 at 13:50 Comment(0)

Try this approach!

When you are testing use vscode : https://docs.stripe.com/stripe-vscode

replace the key generated from stripe cli here

var WebhookSecret = "your-Key-here";

var stripeSigniture = req.Headers.GetValues("Stripe-Signature").FirstOrDefault();
stripeEvent = EventUtility.ConstructEvent( json, stripeSigniture, WebhookSecret, 300, throwOnApiVersionMismatch: false);

Manhattan answered 24/4 at 4:9 Comment(0)

Recommended topics

Hot tags