Showing results for 
Search instead for 
Did you mean: 

Node.js Webhook auth works fine with Test Webhook button, but fails on actual transactions

I am having trouble with the authentication of webhook notifications. Please note that all testing is currently taking place in the sandbox environment. We are not live yet with this application, but planning to go into production on Nov. 6th 2020.


Below is my node.js function to validate the API call as originating from This logic works perfectly when I use the "Test Webhook" button in the merchant portal. But it fails every time when webhook notifications are sent automatically by normal operations of our merchant application. Why would it work fine with the bogus transaction sent to my API from the Test Webhook button, but fail on automated notifications, when both are originating from the sandbox? Please let me know if anyone sees a flaw in my code.


FYI – the entire request object is passed into this function as soon as it is received. I'm using crypto with this statement:

const crypto = require('crypto');


Many thanks in advance!


 * -----------------------------------------------------------------------------------------
 * Compares x-anet-signature hash sent by (x-anet-signature), with computed 
 * hash based on webhook notification body (json payload stringified), using hex signature-key 
 * stored in authnet_connect.js (auth.api_info.signature_key).
 * Returns true if they match, false if they don't match.
 * If they don't match, this notification will be rejected as not sent by
function authenticate_webhook ( req ) {

    // Get signature sent in request header 
    let req_signature = req.headers['x-anet-signature'];
    req_signature = req_signature.substr(7); // remove 'sha512=' from beginning of hash sent

    // Generate keyed-hash message authentication code based on merchant's signature key
    let hmac = crypto.createHmac('sha512', auth.api_info.signature_key);
    let data = hmac.update(JSON.stringify(req.body));
    let gen_hmac= data.digest('hex').toUpperCase();

    utils.log(`hash sent:\n`, req_signature);
    utils.log(`hash computed:\n`, gen_hmac);

    return (req_signature == gen_hmac);



do you have it in active mode?

All Star

Yes, the failure only occurs when it is active and processing automated notifications. My program is capturing and logging the full headers and body from the request, and running the algorithm, and logging the results, and they don't match with live transactions, only on the static transaction sent when using test webhook button in 'inactive' mode. 


Looks like I'm not the only one asking about this. This post shows the exact same logic in node.js, getting the same behavior:



Hello, Were you able to find the solution.

Hello, did you ever resolve this issue? I am unfortunately at a loss for days with the same problem


did the webhook authentication worked for anyone please respond