Securing intercom webhooks with signed notifications: what data gets hashed?

I’m trying to secure my Intercom webhook endpoints and I'm following the instructions outlined here:

https://developers.intercom.com/intercom-api-reference/reference#signed-notifications
https://www.intercom.com/help/apps-in-intercom/apps/webhooks

The problem is, neither of those resources are clear about what data actually gets hashed to create the signature and I’ve tried a bunch of different things and still not getting a match.

Does anyone know what part of the notification request is used to generate the sha1 hash that’s included in that x-hub-signature header?

Solution

I recommend looking through the intercom-webhooks GitHub repo for example code in a variety of programming languages for how to handle the webhook signature.

The signature is computed using the entire payload of the POST request.

Stripe "duplicate events" - What time delay to expect?
How to get data from webhook with content-type: application/x-www-form-urlencoded;charset=UTF-8?
How to validate Stripe subscription is active and paid
MS Teams outgoing webhook HMAC authentication
Stripe webhook -Webhook Error: Webhook payload must be provided as a string or a Buffer
Force Gitlab to retry webhooks on failure with Go
Sending Notification in Microsoft Teams using Webhook Request Workflow
Send webhook upon sending or receipt of email
Sending Notification in Teams using Webhook and Power Automate
webhooks of octokit are not working when i am using them through the express server
Webhooks - Validate the v3 request signature HUBSPOT
Microsoft Cards for incoming webhook arrive empty in teams
Error trying to connect Trading View's alerts webhook to Interactive Brokers via Python code, localhost and Ngrok
Meta Cloud API is triggering every webhook for multiple Apps
Verifying simulated PayPal webhook's signature always returns "FAILURE"
Using Webhook URL in Azure Pipeline to send Microsoft Teams Notification
Error replying on WhatsApp Webhook: Message failed to send because more than 24 hours have passed since the customer last replied to this number
channel.createWebhook causes 'no such file or directory' error
Custom UPI payment api?
How to set Telegram bot webhook?
How can i test Facebook webhooks in a development environment?
Whatsapp Webhook data in PHP
How to get the applied promo code once the payment is success?
Whatsapp webhook won't connect with ngrok
Magento external access
Mailchimp Webhooks API v3
Push Notifications/Toasts Summary for Adaptive Cards on Microsoft Teams
Woocommerce webhook to Yii2 API returns 401
Microsoft Teams: How can I forward all messages sent to an Incoming Webhook to a Group Chat?
How to associate sendgrid webhook sg_message_id to sent mail?