Why does the Stripe-Signature header never match the signature of request.body?


I’m using Python with the Django Rest framework and am trying to receive webhook events correctly from stripe.

However I constantly get this error:

stripe.error.SignatureVerificationError: No signatures found matching the expected signature for payload

This is the code:


def webhook(request):
    sig_header = request.headers.get('Stripe-Signature', None)
    payload = request.body
        event = stripe.Webhook.construct_event(
    except ValueError as e:
        raise e
    except stripe.error.SignatureVerificationError as e:
        raise e

    return HttpResponse(status=200)

I have also tried modifying the request body format like so:

payload = request.body.decode('utf-8')
# and also
payload = json.loads(request.body)

And yet no luck.

The error is coming from the verify_header() class method inside the WebhookSignature class.

This is the part of the method where it fails:

if not any(util.secure_compare(expected_sig, s) for s in signatures):
    raise error.SignatureVerificationError(
        "No signatures found matching the expected signature for payload",

So I printed out exptected_sig and signatures before this line and found that regardless of what format request.body is in, signatures is always there (which is good), but they never match the signature from the header.

Why is this?


When Stripe calculates the signature for the Event it sends you, it uses a specific "payload" representing the entire Event’s content. The signature is done on that exact payload and any change to it such as adding a new line, removing a space or changing the order of the properties will change the payload and the corresponding signature.

When you verify the signature, you need to make sure that you pass the exact raw payload that Stripe sent you, otherwise the signature you calculate won’t match the Stripe one.

Frameworks can sometimes try to be helpful when receiving a request and they detect JSON and automatically parse it for you. This means that you think you are getting the "raw payload/body" but really you get an alternate version. It has the same content but it doesn’t match what Stripe sent you.

This is fairly common with Express in Node.js for example. So, as the developer, you have to explicitly request the exact raw/original payload Stripe sent you. And how to do this can differ based on a variety of factors. There are 2 issues on the stripe-node github with numerous potential fixes here and here.

With Django, the same can happen and you need to make sure that your code requests the raw payload. You seem to use request.body as expected but that’s one thing you want to dig into further.

Additionally, another common mistake is using the wrong Webhook secret. If you use the Stripe CLI for example, it creates a new secret for you that is different from the one you see in the Dashboard for this Webhook Endpoint. You need to make sure you use the correct secret based on the environment you’re in.

Answered By – koopajah

This Answer collected from stackoverflow, is licensed under cc by-sa 2.5 , cc by-sa 3.0 and cc by-sa 4.0

Leave a Reply

(*) Required, Your email will not be published