I have had issues with production account webhooks for my client for the past 3 days. Yesterday, I finally convinced my client to let me into the merchant interface to configure them. She previously wanted to do it herself due to some paranoia about the security of her account. I log in and see that she misspelled the endpoint URL. So I fix this and run a test last night. The issue seemed to be partially resolved, because the webhooks were hitting our endpoint.
I have various log files set up for testing. On the test yesterday, although we were hitting our endpoint I was getting a log file indicating the hash verification failed. I figured this was a signature key issue. Today we get a new signature key first thing, and when I run the tests we are no longer even getting a hit on our endpoint. I am not sure why this is. We had selected the "disable old signature key" box when obtaining the new one. How this may have something to do with it idk.
My endpoint has a script that does automated db updates to indicate when a customer successfully pays on the accept hosted form.
The process is like this:
1: the endpoint captures the payload and hashed header
2: The payload is hashed and verfied against the hashed header
3: If the verification fails, a log file is created and everything stops
4: If the verification passes, the transaction Id is extracted from the payload
5: Then the id is used to do a getTransactionDetails call to pull the previously passed invoice
6: The transactionId is inserted into the db table for the record containing the invoice
7. The customer's shopping cart is cleared (this is a backup, the cart is typically cleared when the customer hits the continue button on the receipt page but for those who x out I catch them with the webhook)
I have stripped down every piece of this to the bare essentials. Not one single step is working. I am not getting a payload, I am not getting any headers, at all, none of it. I think I am missing something.
After playing tug of war with this all morning, I switch over to my sandbox account and the full script executes on the first go round. Keep in mind that I have tested hundreds of these on my sandbox and not one has failed. This is a mystery to me, but I somehow can't help but think it has something to do with the generation of the new signature key.
Solved! Go to Solution.