Webhook Signature Value Length
Incident Report for AuthVia

Postmortem: Webhook Validation Issue Summary

On February 14, 2024, we encountered an issue with our webhook validation process, which impacted the reliability of webhook notifications for our users. This issue was primarily due to an oversight in updating the encoded value for a new signature length after a service upgrade. The problem was identified and resolved promptly, with a fix deployed to prevent future occurrences. We are committed to maintaining high reliability and transparency, and this postmortem aims to detail the incident, our response, and steps we're taking to improve.

Incident Overview

The incident was caused by an update in our webhook-service, which introduced a new signature length. Unfortunately, the encoded value for this new signature was not updated accordingly, leading to validation failures for webhook events.

The issue was first detected by internal monitoring and reported by a user, leading to a swift investigation and resolution.


A small number of users were directly affected, with only two support tickets filed regarding the issue. However, the potential for broader impact prompted an immediate and thorough response from our team.

Detection and Response

The problem was detected during a routine production review, with further investigations led by our development team. Upon identifying the root cause, we implemented a code fix and deployed a new release to resolve the issue.

Root Cause Analysis

The primary cause of this incident was found to be the lack of updated documentation and testing related to the webhook service's signature validation process. This oversight led to the failure in properly validating webhook events post-update.

Actions Taken

We have taken several steps to address the issue and prevent similar incidents in the future:

  • Implemented a code fix to update the encoded value for the new signature length.
  • Deployed a new release to ensure the issue was resolved.
  • Initiated comprehensive documentation and validation tests for future updates.

Moving Forward

To prevent a recurrence of this or similar issues, we are:

  • Enhancing our testing procedures for all updates to our services, with a focus on comprehensive validation testing.
  • Updating our documentation to reflect the latest changes and ensure all team members have access to accurate, up-to-date information.
  • Reviewing our incident detection and response protocols to shorten detection times and improve our response efficiency.

We understand the importance of reliable webhook notifications for our users and apologize for any inconvenience caused. Our team is committed to learning from this incident and making the necessary improvements to serve you better.

Thank you for your understanding and continued support.

Posted Feb 21, 2024 - 12:05 PST

This incident has been resolved.
Posted Feb 14, 2024 - 14:44 PST
A fix has been pushed to production, we are monitoring resolution with impacted partners.
Posted Feb 14, 2024 - 12:04 PST
A recent update to webhooks updated the format of the generated signature-value passed across during subscription invocation. We've noticed this change has broken a couple of our integrators signature matching logic. A fix is actively being tested in integration and expected to be pushed shortly.
Posted Feb 14, 2024 - 10:48 PST
This incident affected: Webhooks.