Webhook signature verification

So I'm trying to add signature verification to the existing web-hooks however all verifications fail.

We have an plugin that our customers that use lightspeed can install.

During this process we register webhooks for these customers so we can process orders and products for our customers.

What makes it complicated is that it's unclear to me what exactly we should be using as AppSecret?

Also is the signature calculated over the raw request body or do I need something else?

We register end-points for the webhooks in a c# .net framework 4.5.2 application.

Hoping somebody is able to provide the information I need to get this working!

Kind regards


  • armenyarmeny Member Posts: 3

    The same question.

    I'm trying to implement webhook call validation on Node.js and signature I'm receiving as in 'x-signature' header doesn't match with signature I'm creating from payload and secret.

    How signature is created on the Lightspeed side? Do you sort keys of the payload object? What secret is used for creating signature? APP_SECRET or md5(token. APP_SECRET)?

  • dschnaredschnare Member Posts: 6
    edited December 2021

    Hey guys. We were spinning our wheels here as well. The documentation is just really bad in this regard.

    Do something like this. You should be able to clean this up quite a bit, but you should get the idea.

    function saveRawBodyToReq (req, res, buf, encoding) {
      req.rawBody = buf.toString(encoding || 'utf-8')
    const md5 = (val) => crypto.createHash('md5').update(str).digest('hex')
    app.use(express.json({ verify: saveRawBodyToReq }))
    app.post('/mywebhook', function verify(req, res, next) {
      const sig = md5(`${req.rawBody}${process.env.LS_APP_SECRET}`)
      const isValid = sig === req.header('x-signature')
      if (!isValid) return res.status(401).end()
    }, function myHandler (req, res, next) {
      // my code
    Post edited by dschnare on
Sign In or Register to comment.