IsFromSquare Function Check Always Returning False

I am trying to validate my webhook requests in my NodeJS web app, but even after confirming my notification URL and signature key are correct my isFromSquare function always returns false. Below is my code:

const { Client, Environment, ApiError, WebhooksHelper } = require("square");

// The URL where event notifications are sent.

// The signature key defined for the subscription.
const SIGNATURE_KEY = '4YWpUFi63U6Yphc2ictfsw';

function isFromSquare(signature, body) {
    return WebhooksHelper.isValidWebhookEventSignature(

exports.squarehandler = async (req, res, next) => {
    try {

        if (!isFromSquare(req.headers['x-square-signature'], req.body)) {
            console.log('Unauthorized request was sent');
            return res.status(401).json({ message: 'Unauthorized request' });

        // Code continues here but is irrelevant for this post

With this code, my server always outputs “Unauthorized request was sent” even if it’s from Square. I am using this incorrectly?

I just took a look at the account and I’m seeing 2xx responses in the logs. Were you able to figure out the issue? :slightly_smiling_face:

No sadly, I just commented our the isFromSquare code I had before to continue development.

I have same issue. The isValidWebhookEventSignature always returns false.

 const isValid = WebhooksHelper.isValidWebhookEventSignature(

Hey I couldn’t get it to work. I ended up just performing my own checks and then ensuring my server only accepts these types of requests from Square’s IP addresses. Hope this helps.

There might be a small issue with the way you’re passing the request body to the isFromSquare function. The isValidWebhookEventSignature method expects the raw body of the request as a string, not the parsed JSON object.

When using Express with the body-parser middleware, req.body will typically contain the parsed JSON object, which could be causing the signature validation to fail. You need to access the raw body of the request.

Here’s how you can modify your code to get the raw body:

First, make sure you have the body-parser middleware set up to include the raw body:

const bodyParser = require('body-parser');

// Create a middleware that adds the raw body to the request object
const rawBodyBuffer = (req, res, buf, encoding) => {
  if (buf && buf.length) {
    req.rawBody = buf.toString(encoding || 'utf8');

app.use(bodyParser.json({ verify: rawBodyBuffer }));

Then, in your squarehandler function, use req.rawBody instead of req.body:

exports.squarehandler = async (req, res, next) => {
    try {
        if (!isFromSquare(req.headers['x-square-signature'], req.rawBody)) {
            console.log('Unauthorized request was sent');
            return res.status(401).json({ message: 'Unauthorized request' });

        // Code continues here

This change ensures that you’re passing the raw, unmodified body as a string to the isValidWebhookEventSignature method, which should allow the signature validation to work correctly.

Remember that req.rawBody needs to be set before any other middleware that modifies req.body, so the order of your middleware is important. Make sure the rawBodyBuffer middleware is used before any other body-parsing middleware. :slightly_smiling_face: