I’m trying to secure my Intercom webhook endpoints and I'm following the instructions outlined here:
The problem is, neither of those resources are clear about what data actually gets hashed to create the signature and I’ve tried a bunch of different things and still not getting a match.
Does anyone know what part of the notification request is used to generate the sha1 hash that’s included in that x-hub-signature
header?
I recommend looking through the intercom-webhooks GitHub repo for example code in a variety of programming languages for how to handle the webhook signature.
The signature is computed using the entire payload of the POST request.