Fix webhook verification

LarsenCundric · LarsenCundric · commit bf1aa5a20778 · 2025-11-24T19:48:53.000-08:00
diff --git a/examples/webhooks.py b/examples/webhooks.py
@@ -26,19 +26,21 @@ def mock_webhook_event() -> Tuple[Dict[str, Any], str, str]:
         metadata={"progress": 25},
     )
 
-    signature = create_webhook_signature(
-        payload=payload.model_dump(),
-        timestamp=timestamp,
-        secret=SECRET,
-    )
-
     evt: Webhook = WebhookAgentTaskStatusUpdate(
         type="agent.task.status_update",
         timestamp=datetime.fromisoformat("2023-01-01T00:00:00"),
         payload=payload,
     )
 
-    return evt.model_dump(), signature, timestamp
+    # Create signature from the full event body
+    evt_dict = evt.model_dump()
+    signature = create_webhook_signature(
+        body=evt_dict,
+        timestamp=timestamp,
+        secret=SECRET,
+    )
+
+    return evt_dict, signature, timestamp
 
 
 def main() -> None:
diff --git a/src/browser_use_sdk/lib/webhooks.py b/src/browser_use_sdk/lib/webhooks.py
@@ -10,8 +10,6 @@
 
 # Models ---------------------------------------------------------------------
 
-# test
-
 
 class WebhookTestPayload(BaseModel):
     """Test webhook payload."""
@@ -53,20 +51,20 @@ class WebhookAgentTaskStatusUpdate(BaseModel):
 # Methods --------------------------------------------------------------------
 
 
-def create_webhook_signature(payload: Any, timestamp: str, secret: str) -> str:
+def create_webhook_signature(body: Any, timestamp: str, secret: str) -> str:
     """
-    Creates a webhook signature for the given payload, timestamp, and secret.
+    Creates a webhook signature for the given body, timestamp, and secret.
 
     Args:
-        payload: The webhook payload to sign
+        body: The webhook body to sign
         timestamp: The timestamp string
         secret: The secret key for signing
 
     Returns:
         The HMAC-SHA256 signature as a hex string
     """
 
-    dump = json.dumps(payload, separators=(",", ":"), sort_keys=True)
+    dump = json.dumps(body, separators=(",", ":"), sort_keys=True)
     message = f"{timestamp}.{dump}"
 
     # Create HMAC-SHA256 signature
@@ -101,8 +99,16 @@ def verify_webhook_event_signature(
         else:
             json_data = body
 
-        # PARSE
+        # NOTE: Do not use the parsed json_data (model_dump()) for signature verification, use the original json_data (raw body) instead.
+        # The signature is created from the original body, not the parsed model
+        calculated_signature = create_webhook_signature(
+            body=json_data, timestamp=timestamp, secret=secret
+        )
 
+        if not hmac.compare_digest(expected_signature, calculated_signature):
+            return None
+
+        # PARSE
         webhook_event: Optional[Webhook] = None
 
         if webhook_event is None:
@@ -121,15 +127,6 @@ def verify_webhook_event_signature(
         if webhook_event is None:
             return None
 
-        # Verify
-
-        calculated_signature = create_webhook_signature(
-            payload=webhook_event.payload.model_dump(), timestamp=timestamp, secret=secret
-        )
-
-        if not hmac.compare_digest(expected_signature, calculated_signature):
-            return None
-
         return webhook_event
 
     except Exception:
