Xero - beautiful accounting software

Xero Developer Help Center

Xero Developer Community

Community > API Endpoints >

Calculated HMACSHA256 is not same as payload signature

Started by Rizwan Shaikh -   in API Endpoints


I have activated Webhook and was validating the intent to receive. Every time I get the following error.
Response not 200.

I am using CryptoJS for derving the HMAC from payload. Unfortunately the calculated mac is always different from the signature passed across in header. I have gone through the guidelines too.

This is what i have been doing.
var hash = CryptoJS.HmacSHA256("Message", "secret");
var hashInBase64 = CryptoJS.enc.Base64.stringify(hash);

Could you please guide me in the right direction? Is there something that i am missing

The validation should be the same on both the ITR payloads and the live ones. The only difference is the size of the live payloads being larger.

I would suggest routing your webhooks through ngrok (if possible). It is great way of examining what is being received from our servers.

Robin Blackstone (Community Manager)  

I have been integrating XERO with a cloud platform called Servicenow.

To check the number of calls made to the webhook. I have added logs into the system. The logs are triggered on every call. Currently i can see logs for only one call. So i am assuming only one time the webhook is being invoked.

May i know how many calls are being made to the webhook whenever 'Intent to receive' is hit. And if multiples calls are made then could you also please tell how many calls with correct header signature and how many with incorrect header signature.

Rizwan Shaikh  

Logs -
events: blank array

Rizwan Shaikh  

header signature - r2A+5uWPXto/M2hRFX+GvlPzenYI29FYqN16SaYCbCc=

Calculated signature from our platform - yft8Ak/abwabPCuSb4FXi9czvUcQZXuk666ikgv4pN4=

Unfortunaltey the signature doesnt matched up and the intent to receive fails everytime.

Rizwan Shaikh