[BUG]: Signature not able to be validated in Next.js routes

[declan-wade]

What happened?

I am having a lot of difficulty getting the webhook signature to validate in the route.ts via the Next.js app router - it just fails every time despite the secret being correct and following the documentation example.

"use server";

import { Webhooks } from "@octokit/webhooks";

const webhooks = new Webhooks({
  secret: "abc",
});

export async function POST(request: Request) {
  try {

    const body = await request.text();
    const signature = request.headers.get("x-hub-signature-256");
   
    if (!signature) {
      return new Response("Missing signature", { status: 401 });
    }
    console.info(signature); // prints:  sha256=2867...... etc

    const isValid = await webhooks.verify(body, signature);
    console.info(isValid);

    if (!isValid) {
      console.log("Signature validation failed");
      return new Response("Invalid signature", { status: 401 });
    }

    console.log("Signature validation successful");
    // rest of code
}

isValid always returns false so the request results in 401 every time

I'm at a loss at what else to try... Happy to debug further if required.

Versions

@octokit/webhooks 14.1.1, next 15.2.4, Node v24.3.0, Bun 1.2.16

Relevant log output

Code of Conduct

• I agree to follow this project's Code of Conduct

[github-actions]

👋 Hi! Thank you for this contribution! Just to let you know, our GitHub SDK team does a round of issue and PR reviews twice a week, every Monday and Friday! We have a process in place for prioritizing and responding to your input. Because you are a part of this community please feel free to comment, add to, or pick up any issues/PRs that are labeled with Status: Up for grabs. You & others like you are the reason all of this works! So thank you & happy coding! 🚀

[wolfy1339]

I don't personally use NextJS

The code looks fine to me

Are you able to reproduce the issue if you extract the payload and signature, and run the verify() function manually?

[declan-wade]

Thanks for the suggestion, I finally managed to get it working with this approach:

import { verify } from "@octokit/webhooks-methods";

export async function POST(request: Request) {

  const body = await request.text();
  const signature = request.headers.get("X-Hub-Signature-256") ?? "";

  const outcome = await verify(
    process.env.GITHUB_WEBHOOK_SECRET || "",
    body,
    signature,
  );

  return new Response(JSON.stringify(outcome));
}

I'm not sure exactly what difference this made - I am about to deploy this to my environment to confirm this definately fixes it, but maybe this was down to user error rather than a bug. Sorry that it is rather inconclusive...

[declan-wade]

Update: I have successfully deployed the fix but I did notice that the root cause may have been caused by the environment variable being declared as:

GITHUB_SECRET="abc"

Instead of the correct way:

GITHUB_SECRET=abc

If so, that would be a pretty infuriating error on my part 🤦🏻‍♂️

[Uzlopak]

Yep, if you put them into double quotes, then it worked accordingly. Happens to the best.

[wolfy1339]

It's great that you have figured it out.
I'll close it out