webhook_verification_failed
Webhook signature verification failures
HTTP status: N/A (SDK validation)
Category: Webhook signature verification
What this error means
The Wocha SDK rejected an incoming webhook because the HMAC-SHA256 signature could not be verified. This is thrown by constructWebhookEvent() in @wocha/sdk/webhooks with error code webhook_verification_failed.
Common causes
- Wrong webhook signing secret (typo, stale secret after rotation)
- Request body was parsed as JSON before verification (must use the raw string)
- Missing or malformed
X-Wocha-Signatureheader - Timestamp outside the tolerance window (replay or clock skew)
- Proxy middleware modified the request body
How to fix it
- Copy the signing secret from Console → Webhooks → [subscription] → Signing secret.
- Pass the raw request body string to
constructWebhookEvent()— do not usereq.json()first. - Forward the exact
X-Wocha-Signatureheader value (t=<iso8601>,v1=<hex>). - Increase
toleranceSecondsonly if you have verified clock skew; default is 300 seconds. - Use
@wocha/testingto generate valid signed payloads in unit tests.
Example
See also
- Webhooks overview
- @wocha/testing — signed webhook test helpers