How can I access the raw body of a request for Webhook signature-comparison purposes?

pierce · February 2, 2023, 4:01pm

I have a bit of a rhyming example from another API that might help.

Here’s the source code of our Shopify Partner webhook verification action:

PipedreamHQ/pipedream/blob/master/components/shopify_partner/actions/verify-webhook/verify-webhook.mjs

import shopify_partner from "../../shopify_partner.app.mjs";
import crypto from "crypto";

export default {
  name: "Verify Webhook",
  version: "0.0.1",
  key: "shopify_partner-verify-webhook",
  description:
    "Verify an incoming webhook from Shopify. Exits the workflow if the signature is not valid, otherwise returns `true`",
  props: {
    shopify_partner,
    appSecretKey: {
      type: "string",
      secret: true,
      label: "App API secret key",
      description:
        "The secret key associated with the Shopify App receiving the webhook.",
    },
    shopifyHmac: {
      type: "string",

This file has been truncated. show original

Short video on how to configure the Pipedream HTTP webhook trigger to use a raw body:

The appSecretKey prop in this example code might align with your LemonSqueezy secret, that is if they’re also using HMAC for signing the request.