On the off chance anyone else is wrestling with this, while I know how Ghost calculates the hash based on a secret to be passed via webhook header, and I’m using the same algorithm, I still can’t get it to match up with the hash being passed in the X-Ghost-Signature webhook header.
crypto.createHmac('sha256', secret).update(reqPayload).digest('hex')
Does anyone know what Ghost is hashing? I had assumed it was everything from to tags in the payload, but it seems like that is wrong.
The signature includes a timestamp, you’ll need to strip it:
You can set a webhook secret. Here’s how the secret is generated (tldr: hmac of the request payload signed with the shared secret):
Thanks for that. It’s a weird process, even if I can’t why it’s not easy to standardize.