Calculating sha256 for Ghost webhook

On the off chance anyone else is wrestling with this, while I know how Ghost calculates the hash based on a secret to be passed via webhook header, and I’m using the same algorithm, I still can’t get it to match up with the hash being passed in the X-Ghost-Signature webhook header.

crypto.createHmac('sha256', secret).update(reqPayload).digest('hex')

Does anyone know what Ghost is hashing? I had assumed it was everything from to tags in the payload, but it seems like that is wrong.

The signature includes a timestamp, you’ll need to strip it:

Thanks for that. It’s a weird process, even if I can’t why it’s not easy to standardize.