https://developers.strava.com/docs/webhooks/#signature-verification
What is Strava using for the shared signing secret ?
I had assumed my client secret, but I can’t get the hashes to match for love nor money.
I am getting t and v1, no worries (well at least v1 looks right)!
Here’s my PHP (gasp!)
<?php
$timestamp = 1777657039;
$rawBody = '{"aspect_type":"update","event_time":1777657039,"object_id":123123123,"object_type":"activity","owner_id":123123123,"subscription_id":123123,"updates":{"title":"Please work"}}';
$clientSecret = 'myDirtyLittleSecret';
$providedSignature = 'theV1HashProvided';
$signedPayload = $timestamp . '.' . $rawBody;
$expectedSignature = hash_hmac('sha256', $signedPayload, $clientSecret);
var_dump(hash_equals($expectedSignature, $providedSignature));I’ve tried all the available HMAC algorithms, concatenating the $timestamp and $rawBody with a ‘,’ instead of a ‘.’, variations of with/without { and } braces.
Heck, I’ve even spent an hour talking to ChatGPT.
Exhausting my options, this leaves me to believe that the “shared signing secret” may be something other than the client secret for my app. Please. Or this is just beyond my skill/understanding. Also possible.
I didn’t think it would be but I’ve tried my client ID anyway. I don’t see anything else to choose from?