Skip to content

Commit 8bf0d3a

Browse files
authored
fix: correct webhook signature verification to use standard base64 (#88)
Remove URL-safe base64 character replacements (+/- and /_) from signature verification code examples. E2B webhooks send standard base64 signatures (with + and / characters), not URL-safe base64 as previously documented. Updated verification code in JavaScript, Python, and Go to match actual E2B webhook signature format by only removing padding (=) characters.
1 parent 3fe440f commit 8bf0d3a

1 file changed

Lines changed: 2 additions & 4 deletions

File tree

docs/sandbox/lifecycle-events-webhooks.mdx

Lines changed: 2 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -277,7 +277,7 @@ This confirms that the request originated from E2B and has not been tampered wit
277277
```js JavaScript & TypeScript
278278
function verifyWebhookSignature(secret : string, payload : string, payloadSignature : string) {
279279
const expectedSignatureRaw = crypto.createHash('sha256').update(secret + payload).digest('base64');
280-
const expectedSignature = expectedSignatureRaw.replace(/\+/g, '-').replace(/\//g, '_').replace(/=+$/, '');
280+
const expectedSignature = expectedSignatureRaw.replace(/=+$/, '');
281281
return expectedSignature == payloadSignature
282282
}
283283

@@ -295,7 +295,7 @@ import base64
295295
def verify_webhook_signature(secret: str, payload: str, payload_signature: str) -> bool:
296296
hash_bytes = hashlib.sha256((secret + payload).encode('utf-8')).digest()
297297
expected_signature = base64.b64encode(hash_bytes).decode('utf-8')
298-
expected_signature = expected_signature.replace('+', '-').replace('/', '_').rstrip('=')
298+
expected_signature = expected_signature.rstrip('=')
299299

300300
return expected_signature == payload_signature
301301

@@ -316,8 +316,6 @@ func verifyWebhookSignature(secret, payload, payloadSignature string) bool {
316316
hash := sha256.Sum256([]byte(secret + payload))
317317
expectedSignature := base64.StdEncoding.EncodeToString(hash[:])
318318

319-
expectedSignature = strings.ReplaceAll(expectedSignature, "+", "-")
320-
expectedSignature = strings.ReplaceAll(expectedSignature, "/", "_")
321319
expectedSignature = strings.TrimRight(expectedSignature, "=")
322320

323321
return expectedSignature == payloadSignature

0 commit comments

Comments
 (0)