Skip to main content
Answered

Signature Verification: shared signing secret

  • May 1, 2026
  • 5 replies
  • 155 views
M
Forum|alt.badge.img+1

https://developers.strava.com/docs/webhooks/#signature-verification

What is Strava using for the shared signing secret ?

I had assumed my client secret, but I can’t get the hashes to match for love nor money.

I am getting t and v1, no worries (well at least v1 looks right)!

Here’s my PHP (gasp!)
 

<?php
$timestamp = 1777657039;
$rawBody = '{"aspect_type":"update","event_time":1777657039,"object_id":123123123,"object_type":"activity","owner_id":123123123,"subscription_id":123123,"updates":{"title":"Please work"}}';
$clientSecret = 'myDirtyLittleSecret';
$providedSignature = 'theV1HashProvided';

$signedPayload = $timestamp . '.' . $rawBody;
$expectedSignature = hash_hmac('sha256', $signedPayload, $clientSecret);
var_dump(hash_equals($expectedSignature, $providedSignature));

I’ve tried all the available HMAC algorithms, concatenating the $timestamp and $rawBody with a ‘,’ instead of a ‘.’, variations of with/without { and } braces.

Heck, I’ve even spent an hour talking to ChatGPT.

Exhausting my options, this leaves me to believe that the “shared signing secret” may be something other than the client secret for my app. Please. Or this is just beyond my skill/understanding. Also possible.

I didn’t think it would be but I’ve tried my client ID anyway. I don’t see anything else to choose from?

 

Best answer by srumery

Just giving everyone an update here... I heard from the API team that they are currently not supporting the signature verification feature, and they confirmed they are working on it. Apparently, that confirms that there was an issue. They said they're working on it and they have removed the documentation from the webhook page just until they get that resolved.

    5 replies

    T
    Forum|alt.badge.img
    • Thomas YOUB
    • Hub Starter
    • May 4, 2026

    I just came to the community because I have the exact same question. Signing seems to be pretty new. A few months ago people were still complaining about missing verification for webhooks coming in from Strava: 

     

    That is clearly currently a bug where the “signing secret” is not accessible yet. My best guess would be that it should be exposed in the API Application UI settings.

     

      S
      Forum|alt.badge.img+1
      • srumery
      • Hub Starter
      • May 4, 2026

      I am also having the same issue. No matter what I try, I can't get the signature verification to pass. I've used the client secret for the web hook signing secret plus I've tried to create a unique ID as well. Either the docs are not clear or the v1 coming back is based on a different calculation.

      M
      Forum|alt.badge.img+1
      • MrPotatoHead
      • Author
      • Hub Rookie
      • May 6, 2026

      Ah cool, I take some solace that it’s not just me! I did note that it is quite a new thing, so I’ve parked this verification and will return to it once some more light is shed on the issue!

      G
      Forum|alt.badge.img+1
      • gnd46
      • Hub Rookie
      • May 13, 2026

      Just adding to the chorus.  I too would like to verify these requests but cannot do so until Strava provides a mechanism for devs to get their signing secrets.

      S
      Forum|alt.badge.img+1
      • srumery
      • Hub Starter
      • Answer
      • May 22, 2026

      Just giving everyone an update here... I heard from the API team that they are currently not supporting the signature verification feature, and they confirmed they are working on it. Apparently, that confirms that there was an issue. They said they're working on it and they have removed the documentation from the webhook page just until they get that resolved.

        Terms & ConditionsAccessibility statement