3

I'm trying to develop a webhook for the Xero API for when a Contact is updated.

I managed to get past the Intent to Receive validation (eventually) thanks to the answers. However it doesn't always work. Sometimes, for example, the Hash I compute using: 

$yourHash = base64_encode(hash_hmac('sha256', $payload, $webHookKey, true));

is off by one character - where the Web Hook Key, for example, might start with mrj/yJ7pZKejaRrN61vAJB, the computed hash will replace the / with a Y or some other character.

What simple stupid thing am I overlooking?

Stephen Kennedy
  • 20,585
  • 22
  • 95
  • 108
Healyhatman
  • 1,482
  • 1
  • 14
  • 23

1 Answers1

3

During the setup process Xero sends several requests. Some valid and some invalid. The invalid ones require a 401 response header where the valid ones require a 200 response header. Are you sure that one is not one of the invalid ones?

cornernote
  • 1,055
  • 1
  • 12
  • 20
  • Pretty sure the odds of the hashing algorithm being off by a single character given two different strings are astronomically low. Either way the issue seems to have resolved itself and I have everything working so it was probably something dumb I was doing. – Healyhatman May 02 '18 at 02:42
  • True, if they are making it invalid by signing it with the wrong key/data. But I suspect they just randomly changing a character or two in the hash. – cornernote May 07 '18 at 12:10