Recipe

Troubleshoot webhook signature failures

Signature verification fails for four reasons, and only four. You verified against a parsed body instead of the raw bytes, used the wrong secret, hit clock skew beyond the 5-minute tolerance, or a proxy altered the request. Work through them in order.

2 min read

Raw bodyCause #1
Wrong secretCause #2
Clock skewCause #3

1. Are you using the raw body?

The HMAC is over exact bytes. If a JSON middleware parsed and re-serialised the body first, the signature will never match. Capture the raw body before any parsing.

2. Right secret, right endpoint?

Each endpoint has its own whsec_ secret, and test and live differ. A mismatch here fails every request. During a rotation, verify against both.

3. Clock skew

The signed timestamp must be within 300 seconds of your server’s clock. If your host’s clock drifts, fresh deliveries look stale. Sync via NTP.

4. Proxy interference

A load balancer or WAF that rewrites the body or strips the Credicorp-Signature header breaks verification — you will see webhook_signature_missing. Forward both intact.

Frequently asked questions

It works locally but fails in production — why?

Almost always a proxy or framework re-serialising the body, or stripping the signature header. Capture the raw bytes at the very edge and forward the header untouched.

Could it be clock skew?

Yes, if fresh events fail on the timestamp check. Sync your server clock via NTP; the tolerance is 300 seconds.

Funding for UK limited companies

Credicorp lends to your company, not to you personally — short-term working capital with no personal guarantee. See what your business could access.