0

I'm trying to create a Webhook according to the documentation page:

https://www.twilio.com/docs/authy/api/webhooks

My curl call looks like this:

curl -X POST "https://api.authy.com/dashboard/json/application/webhooks" \
   -d name="gridzdev_test" \
   -d app_api_key="7N0..." \
   -d access_key="4za..." \
   -d url="https://some-random-string.ngrok.io/api/2fa/webhook" \
   -d events="user_added" \
   -H "X-Authy-Signature-Nonce: FiNwPdKZci4l3LEn" \
   -H "X-Authy-Signature: feYEERfOSoWCB3ml5cnZFWs5xhc1sPeiWguhlJnokKQ="

Unfortunately, the response I receive is not what I expect:

{"message":"Invalid signature.","success":false,"error_code":"60000"}

The PHP code I'm using to generate signature:

public function handle() {
        $url = 'https://api.authy.com/dashboard/json/application/webhooks';
        $http_method = 'POST';
        $params = 'id=53';
        $nonce = 'FiNwPdKZci4l3LEn';

        $signing_key = 'pr...';

        $data = $nonce . '|' . $http_method . '|' . $url . '|' . $params;
        
        $digest = hash_hmac('sha256', $data, $signing_key, true); // TODO tried with binary = false, but no joy
        $digest_in_base64 = base64_encode($digest);

        $this->info("nonce = $nonce");
        $this->info("signature = $digest_in_base64");
    }
Krzysiek K
  • 1
  • 1
  • 1
    That looks mostly correct, one thing I noticed though is that you have `$params` of `id=53` in your signature generation code, but those params don't appear in the request you're making with `curl`. – philnash Mar 02 '21 at 01:25
  • @philnash According to the documentation, `$params` should be a part of data used for creating signature. – Krzysiek K Mar 02 '21 at 08:35
  • The params you use to create the signature should also be in the URL though. Otherwise the recipient of the request wouldn’t have the params with which to make the signature. In your curl request you are sending a `name` parameter, so that should be included in the secret. – philnash Mar 02 '21 at 10:03
  • @philnash Thank you very much for your help. It's working now. – Krzysiek K Mar 02 '21 at 15:36

0 Answers0