Skip to main content
Question

Verifying Webhook 2 signature hash Hmac Sha256

  • May 21, 2025
  • 2 replies
  • 8 views
C
Forum|alt.badge.img

I am trying to verify the signature of the webhook 2 call Im using java but it doesnt appear to be working. Here is my code

 

		String secret = "Hidden for post";
	    String message = bodyOfRequest;

	     Mac sha256_HMAC = Mac.getInstance("HmacSHA256");
	     SecretKeySpec secret_key = new SecretKeySpec(secret.getBytes(), "HmacSHA256");
	     sha256_HMAC.init(secret_key);

	     String hash = Base64.encodeBase64String(sha256_HMAC.doFinal(message.getBytes()));
	     logger.info(String.format("Primiary signature: %s from hash: %s", boxSigPrimary, hash));
	     
	     if (!hash.equals(boxSigPrimary)){
	    	 logger.info("hash doesnt match");
	     }

However the hash never matches what am I doing wrong?

    2 replies

    C
    Forum|alt.badge.img

    I think you need to hash the `box-delivery-timestamp` as well as the message body.

    Here is some sample JavaScript code that works:

     

      let hmac = crypto.createHmac('sha256', signatureKey);
  hmac.update(event.body);
  hmac.update(event.headers['box-delivery-timestamp']);
  const signature = hmac.digest('base64');

    The details are at  https://docs.box.com/reference#signatures

     

    Good luck!

    C
    Forum|alt.badge.img

    The official box java sdk have a helper class (BoxWebHookSignatureVerifier.java) to verify webhook signatures. You can look at the tests for basic usage.

    Terms of ServiceAccessibility statement