I’m trying to secure my Intercom webhook endpoints and I'm following the instructions outlined here:
- https://developers.intercom.com/intercom-api-reference/reference#signed-notifications
- https://www.intercom.com/help/apps-in-intercom/apps/webhooks
The problem is, neither of those resources are clear about what data actually gets hashed to create the signature and I’ve tried a bunch of different things and still not getting a match.
Does anyone know what part of the notification request is used to generate the sha1 hash that’s included in that x-hub-signature
header?
I recommend looking through the intercom-webhooks GitHub repo for example code in a variety of programming languages for how to handle the webhook signature.
The signature is computed using the entire payload of the POST request.