Problem Introduction
Svix-managed webhooks throw signature mismatch errors on receipt.
Why It Happens
- •Incorrectly formatted verification string
- •Missing message ID (`webhook-id`) or timestamp
- •Clock skew bypassing tolerance limits
Step-by-Step Fix
- 1Construct the exact `webhook-id.webhook-timestamp.body` string format.
- 2Ensure your secret drops the `whsec_` prefix when decoding its Base64 value.
- 3Hash the payload using the base64-decoded secret.
- 4Compare your computed signature with all valid versions provided in the header.
Common Mistakes
- •Hashing the body directly instead of building the structured Svix string.
- •Failing to decode the secret from Base64 before hashing.
Debugging Workflow
Extract headers -> decode secret -> construct signature string -> hash -> compare.
Preventive Best Practices
- •Replay test callbacks safely to catch timestamp skew tolerance limits using Hookmetry.
Works with webhooks and other async event systems (including AI callbacks).
Instead of guessing, inspecting the exact payload and headers can help debug faster. Tools like Hookmetry support this workflow.
Try the free webhook testerRelated Documentation