Xero webhook: Intent to receive

bailey · April 17, 2022, 3:07am

I’m having issues validating a Xero webhook intent to receive.

Here is the Xero documentation:

The Xero documentation states :

If the payload is hashed using HMACSHA256 with your webhook signing key and base64 encoded, it should match the signature in the header. This is a correctly signed payload . If the signature does not match the hashed payload it is an incorrectly signed payload .

To gain Intent to receive validation, the receiving url must respond with status: 200 Ok for all correctly signed payloads and respond with status: 401 Unauthorized for all incorrectly signed payloads .

Backend workflow I’ve set up the following:

But when I validate it through Xero developer portal I receive an error:

Here is the raw API workflow:

What am I doing wrong?

aaronsheldon · April 17, 2022, 5:31am

It looks like you are validating the signature of the headers NOT the JSON body. To fix this you will have to reconstitute the JSON exactly as it was transmitted and then go through the signature validation. Or dirty little secret you could just always return 200. At least for now. Although blindly accepting data is always a very bad security practice.

bailey · April 17, 2022, 5:45am

Yes, I tried to return a 200 to get it set up but I get the following error when trying to validate it with Xero:

How do you "reconstitute the JSON exactly as it was transmitted and then go through the signature validation? How do I do this with the “only when” condition?

aaronsheldon · April 17, 2022, 9:10pm

Try changing the reponse type drop down to text and then return an an empty string. See the reponse action

bailey · April 18, 2022, 1:19am

I don’t see “text” as an option:

Are you able to share screenshots of how you’ve successfully validated a xero webhook intent?

aaronsheldon · April 18, 2022, 3:42am

That is the reponse Bubble receives not sends. To send a response, even an empty one, you need to use the action in the hyperlink above.

Trinitrotoluol · October 6, 2022, 11:39am

Hello, have you been able to solve this problem?

anthony.lyon · June 21, 2023, 2:40am

Hi @bailey , Have you been solve this problem?

reid4010 · November 7, 2023, 8:20am

Hi, has anyone been able to work this out?

shanek · February 6, 2024, 8:22pm

Any updates in 2024? @aaronsheldon @bailey

chad5 · June 3, 2024, 10:54am

Nothing?

will_ericksson · June 4, 2024, 6:44am

Use Zapier or Make.

chad5 · June 5, 2024, 5:26am

Thanks @will_ericksson,

So I would intialize Xero to send webhooks to Make and that would forward it to bubble?

Will this work if my app will have multiple customers Xero accounts connected?

will_ericksson · June 5, 2024, 5:51am

@chad5 we’ve only used Zapier. Go to Zapier and see which Xero events can trigger a Zap. I think it’s invoice and contact changes. From there you can setup a Bubble step to send the data to your webhook.

(2) This solution would NOT support multiple Xero accounts for different Bubble users in one Bubble app. We only have this configured into a 1:1 relationship Xero to Bubble.

chad5 · June 5, 2024, 7:59am

Ok thanks @will_ericksson

I think I could get it to happen on make thanks for the tip

harry7 · July 27, 2024, 3:32pm

Has anyone been able to get this to work?

chad5 · July 27, 2024, 10:49pm

I was not

reid4010 · July 28, 2024, 12:27am

I use hookdeck for this. They have a preset feature specifically for Xero Intent to Receive.

This video by Matt Neary is gold:

He also has another video which is useful, I’m sure you’ll find it on his channel.

Topic		Replies	Views
Webhook Xero: Intent to receive Need help	1	326	December 15, 2022
XERO Webhook - need help APIs	10	67	January 21, 2025
Trouble with Stripe webhook signing in test mode APIs	4	42	March 20, 2025
Webhook requires HMAC-SHA256 signature for verification APIs	29	7015	May 5, 2023
Xero API - Initialize Call APIs	2	289	April 3, 2023

Xero webhook: Intent to receive

Related topics