Anyone has an example on how to verify incoming webhook from composio?
We're trying to verify Composio webhook signatures following the Standard Webhooks specification, but the calculated signature doesn't match the expected signature from Composio.
Current Setup:
Using Next.js API route to handle Composio webhooks
Implementing HMAC-SHA256 signature verification
Following Standard Webhooks spec (timestamp.payload concatenation)
Using a UUID webhook secret from Composio dashboard
What We've Tried:
Direct string concatenation with normalized secret (removing hyphens)
Using Buffer encoding for the secret (both hex and UTF-8)
3. Different approaches to handling the signed content
Example Headers:
Current Implementation:
Question for Composio Team:
Could you confirm the exact signature calculation method you're using? Specifically:
How should the webhook secret be preprocessed (if at all)?
Are there any specific encoding requirements for the timestamp and payload?
3. Do you have a reference implementation we could look at?
This would help ensure we're implementing the signature verification correctly.
5 Replies
absent-sapphire•2w ago
@KM
flat-fuchsia•2w ago
Hey @DanielFrey - Checking with the team on this.
flat-fuchsia•2w ago
hey @DanielFrey - please refer to this implementation guide: https://gist.github.com/himanshu-dixit/6abf46f52982851b627b936590d12c3b
Gist
custom-webhook-verification.js
custom-webhook-verification.js. GitHub Gist: instantly share code, notes, and snippets.
flat-fuchsia•5d ago
hey @DanielFrey - did you try the above?
flat-fuchsiaOP•4d ago
Hey, I will follow up on this when time comes for now I parked it