Skip to main content

Notifications

Community site session details

Community site session details

Session Id : oIJwUXoOvV7xqn64opXxcB
Power Automate - General Discussion
Unanswered

Webhook payload verification using triggerBody()

Like (0) ShareShare
ReportReport
Posted on 26 Mar 2023 21:52:59 by 8,988 Super User 2025 Season 1

Hi, I have some flows that trigger off of HTTP requests for some integrations, including HubSpot. I would like to implement verification of those requests to improve security and for many of the integrations the HTTP request includes a header with some sort of HMAC-based signature.

 

Within my flow, I need to re-calculate the signature, compare it to the one received and if they match we have confidence the message is complete and untampered. While I have build a custom connector to help calculate the HMAC-based signature, I am having troubles performing the calculation when it involves the body of the incoming request, aka the triggerBody().

 

I suspect the issue is coming from Power Automate treating the payload as a JSON object and altering the space/newline structure to make it more human-readable. However, changing a single space in the payload changes it enough that it will no longer generate the same HMAC-based signature.

 

Does anyone have ideas for extracting an unaltered payload out of the trigger so I can correctly calculate the signature and validate the payload?

 

Thanks in advance,

Bryan

  • MelMac-Sage Profile Picture
    2 on 06 Jul 2023 at 13:55:04
    Re: Webhook payload verification using triggerBody()

    I have the same issue, however, they do validate eventually, it sometimes takes one or more retries, and I don't know a way around this yet and am concerned that we will potentially miss messages altogether.

     

    Would like to know if anyone has resolved this?

  • BCLS776 Profile Picture
    8,988 Super User 2025 Season 1 on 11 May 2023 at 18:30:35
    Re: Webhook payload verification using triggerBody()

    I have not been able to get this working in Power Automate due to the issue I pointed out in the original post. Custom connectors do allow us to run a small piece of c# code, which is enough to calculate the hash; however, the extra whitespace introduced as Power Automate handles the message body renders the calculation unusable.

     

    It might work better setting up an Azure Function to handle this, but still on my "to-do" list.

     

    Bryan

  • soch2000 Profile Picture
    2 on 11 May 2023 at 18:16:24
    Re: Webhook payload verification using triggerBody()

    Hi - I'm in a similar position of needing to improve security of http triggered power automate flows using HMAC signature verification. Could you please share what you did to build a custom connector that can calculate the signature? Ultimately does your custom connector outsource the signature calculation to a third party service or are you handling it completely within the connector? Thanks in advance!

Under review

Thank you for your reply! To ensure a great experience for everyone, your content is awaiting approval by our Community Managers. Please check back later.

Helpful resources

Quick Links

Understanding Microsoft Agents - Introductory Session

Confused about how agents work across the Microsoft ecosystem? Register today!

Warren Belz – Community Spotlight

We are honored to recognize Warren Belz as our May 2025 Community…

Congratulations to the April Top 10 Community Stars!

Thanks for all your good work in the Community!

Leaderboard > Power Automate - General Discussion

#1
ankit_singhal Profile Picture

ankit_singhal 7 Super User 2025 Season 1

#2
Michael E. Gernaey Profile Picture

Michael E. Gernaey 4 Super User 2025 Season 1

#3
David_MA Profile Picture

David_MA 2 Super User 2025 Season 1

Overall leaderboard
Loading started