Xero - beautiful accounting software

Xero Developer Help Center

Xero Developer Community

Community > Getting Started >

Failing to validate webhooks api key

Started by Alan Whitby -   in Getting Started

Hey guys,

We've setup webhooks but have been having nothing but problems. I created the route on our side, complete the verification steps and receive webhooks successfully for hours. Then a week or two later our customers complain that they aren't receiving live updates. I login to the xero developer portal and find that the webhook key that they have listed is now somehow different to the one stored in the config for my application. Is this periodically changing for some reason on Xero's side?

Secondly, I copy this new API key into my application and pass the 'verification' step again through the portal, only now the webhooks themselves are failing to authorise correctly. Don't really understand how this can happen as the 'intent to receive' should validate that the code on my receiving end is able to validate the token correctly, but then the live requests aren't able to validate.

PHP snippet below:

$xeroSignature = $request->getHeaderLine('x-xero-signature');
$payload = $request->getRequestBody();

$bodyHash = hash_hmac('sha256', $payload, Config::getXeroWebhookKey(), true);
$encodedHash = base64_encode($bodyHash);

if ($xeroSignature !== $encodedHash)
return $response->withStatus(401);
Hi Alan

We would like to take a closer look, can you get in touch with api@xero.com including your consumer key (or client id) and the details of the connected organisations. We'll then be able to check our logs.

Regards

Robin
 

Robin Blackstone (Community Manager)  

I have almost the same issue, I have passed the webhook validation cycle correctly.
The web hook key has not been changed. I'm using C#.
I made updates on xero invoices and I have received the webhook notifications.
The problem is, the validation cycle always fails although every thing remains the same.
 

Sherif Yahia  

Good to see I'm not the only one. The most confusing part? Overnight I've had a webhook process successfully on my side even though I haven't changed anything. Waiting for Robin's response to know what the next steps are.
 

Alan Whitby