Hey! My team was using the Event Webhooks, but after March 7th (around the v2.8 release) it stopped being fired when our features were updated (image 1). Is this a known issue? Also, I saw that Webhooks for SDK Connections was introduced (image2), does that mean we need to migrate our existing webhooks from

Settings > Webhooks

to

SDK Connections > SDK Webhooks

?

Hello, everyone! I Would love to follow up on this one. Does anyone have some feedback?

What is the deal with this breaking?

We relay on this functionality to get all GB feature updates and since we stoped receiving it then we are unable to create, update or delete features. Instead we need to get the payload form the logs and trigger them by ourselves. Is this functionality deprecated and not working anymore?? We need to implement SDK Webhooks to get same functionality?

Yeah having the same issue. Would love to get a definitive answer.

Yes it would be nice to know that so we can allocate effort to update to the new "way" that is still unclear to me.

I migrated to the old Legacy SDK Connections for now. It was very easy as the header signature is the same, the only thing I had to do was update the Secret Key in our Application. @better-dress-85975 @boundless-waiter-96587

Thanks for the insights @enough-camera-24490!

Seems to be working again……

I mean, I guess it is in BETA . The lack of response around this is strange....

Hi folks. Sorry, this thread seemed to have slipped through the cracks. Are you still running into webhook problems for

feature.*

events? Depending on your use case, you may find the SDK Webhook to be more useful. Typically you'd use that for things like seeding or flushing cache for your application or CDN. Event webhooks, on the other hand, would be more for internal tooling, alerts, etc.

@happy-autumn-40938 Thanks for the reply! Yes, we were. Although it sounds like some folks are having success again. I migrated over to the Legacy Webhooks until I learned of a better way. Is there documentation for the new SDK Connection webhooks? The

X-GrowthBook-Signature

that appears in the other two webhooks, doesn't appear to be showing up for these?

The SDK webhooks and legacy webhooks both use the same signature value, but the header key is different:

webhook-secret

. I do not see any docs for the SDK Webhooks... this appears to be an oversight. Until we can add them, here's what they send: method: settable in the UI. Supports

GET, POST, PUT, DELETE, PURGE

headers (pass in custom headers in the UI):

headers: {
        "Content-Type": "application/json",
        "webhook-id": webhookID,
        "webhook-timestamp": date.getTime(),
        "webhook-secret": secret,
        "webhook-sdk-key": key,
        ...customHeaders,
      },

body (optional): Settable in the UI. Not available for

GET

. If set, will send over the SDK Payload in this envelope format:

{
      type: "payload.changed",
      timestamp: date.toISOString(),
      data: {
        payload: sdkPayload
      }
    }

@happy-autumn-40938 Thanks for the info. How are we suppose to use the

webhook-secret

value? It does not appear to be in the same format as the Signature header being passed in the other webhooks?

It's slightly modified from before, based on this spec https://github.com/standard-webhooks/standard-webhooks/blob/main/spec%2Fstandard-webhooks.md#signature-scheme I think the only difference is the new "wh_sec" prefix. You'd do something like this to validate it (add your own error handling. We'll add more guidance to the docs soon.

const computed = crypto
    .createHmac("sha256", signingKey || "")
    .update(res.locals.rawBody || new Buffer(""))
    .digest("hex");

  const received = req.get("webhook-secret");
  const sig = received?.split("whsec_")?.[1] || "";

  if (!crypto.timingSafeEqual(Buffer.from(computed), Buffer.from(sig))) {
    throw new Error("mismatch signatures");
  }

Interesting, I am still not getting a successful match, even when removing the

whsec_

from the secret passed. I will keep playing around with it. Thanks for the response!

have you updated the signing key to the SDK webhook signing key?

Yep, I replaced the key with the

wk_<16chars>

one given when I created the SDK webhook.

also you need to make sure that you are hashing based on the

payload

object not the full body

{"type":"payload.changed","timestamp":"2024-04-02T22:32:44.872Z","data":{}}

Is that the empty data object?

do you have payload turned off?

I do. I'm just busting our cache with the webhook.

you can then just gen the hash with an empty string if your not sending any payload data

Yep, which is what I am doing.

$secret = 'wk_123457';
$hashedContent = hash_hmac('sha256', "", $secret);

return hash_equals($hashedContent, $signature);

what are your settings on the sdk webhook?

POST method with no extra headers.

let me test on my side and see if i can recreate what is going on here

Sounds good. I appreciate it.

i think i found the issue let me get a fix out for this

Looking good! Thanks!