Problem with verify the X-TAIGA-WEBHOOK-SIGNATURE in nodejs

Hi guys,
I’m developing a webhook for Taiga integrations, but when I receive the payload and try to generate the hmac hash, the X-TAIGA-WEBHOOK-SIGNATURE and my generated hash don’t match.

const key = ‘mi key’;
const signature = req.headers[‘X-TAIGA-WEBHOOK-SIGNATURE’];
const body = JSON.stringify(req.body);

const hmac = crypto.createHmac(‘sha1’, key);

const calculatedSignature = hmac.digest(‘hex’);
if (signature === calculatedSignature){
} else {
console.log(‘Signature invalida’);

Any idea because it does not generate the same hash as X-TAIGA-WEBHOOK-SIGNATURE?


@ajmarmar, could req.body already be a string? Try with

const hmac = crypto.createHmac(‘sha1’, key);

Thanks for your quick reply, I did tests as if were a string or JSON object but the result is not the same as x-taiga-webbook-signature.

Well, this is what documentation say about the signature verification of a webhook, so it should work as we expected. I’ll try to create a complete example to test it in javascript (with a node server) and improve the documentation.

1 Like


I also tried with a python script, but that didn’t work either.


It could be because you have to encode the data to utf8. Maybe with utf8 - npm.


We use encode utf8.

Could you give us an example of a body, key and signature that works for you so we can test it?


This is my example in python

  1. Create the webhook and send a test messsage:

  2. Show the received message in the test server
  3. And verify the signature.

The code to verify the signature

In [14]: import hmac

In [15]: import hashlib

In [16]: def verify_signature(key, data):
    ...:     mac ="utf-8"), msg=data.encode("utf8"), digestmod=hashlib.sha1)
    ...:     return mac.hexdigest()

In [17]: signature = '01587d7bdfee8892efed7f19d7712d1ae37955f7'

In [18]: body = '{"action": "test", "type": "test", "by": {"id": 9, "permalink": "", "use
    ...: rname": "bameda", "full_name": "David Barragán Merino", "photo": "
    ...: cc2d04bbfcc50f33323c39cce79b1386dfafd442a16d7650e9bd314f/bameda_avatar_400x400.png.80x80_q85_crop.png?token=ZLZjLw%3
    ...: A_xfhG7oJl0s7p-a5TWWLVwsBCGEFgs_STcR3KxxmEuLeYlPTfgAPrmNc1_PeB8oHd-9Kl7otMD0hgYZQNPtzoQ", "gravatar_id": "ca3f184c1e
    ...: 11414128d75b06509535bf"}, "date": "2023-07-18T10:02:23.863Z", "data": {"test": "test"}}'

In [19]: key = 'very_secret'

In [20]: verify_signature(key, body)
Out[20]: '01587d7bdfee8892efed7f19d7712d1ae37955f7'

In [21]: verify_signature(key, body) == signature
Out[21]: True

I hope this can help

Thank you, I’ll do a few tests and I’ll comment on them.



I did test and I can do the check fine. My problem was that the json I received didn’t have the format as you sent me, the atributes and values are separated by a space, while I obtein a json string without spaces.

Other hand, the payload that Taiga show is not the same (in order of attributes and format) that you received in “”.


oh!, we’ll check this behavior. Thanks.