twilio webhook: fail to validate signature

Question

I have a webhook set in my twilio console for Messaging: it is a POST to an url of the form https://apim.com/twilio?ApiKey=xxxxxxxxx, which calls an API Manager (which then redirect to my REST app written in Java)

On SMS sent, I receive the HTTP request along with the header X-Twilio-Signature, and a formData with key "Body" and value my sms content (i always try so far with the message "test")

I use the Twilio SDK (latest version 8.29.0) to validate as follows:

RequestValidator requestValidator = new RequestValidator(twilioAuthToken); // "twilioAuthToken" contains the primary auth token (there is no secondary)
String twilioHttpRequest = "https://apim.com/twilio?ApiKey=xxxxxxxxx"; // this url is exactly the one provided in the webhook
String signature= request.getHeader("X-Twilio-Signature");
Map<String, String> paramsTest = new HashMap<>();
paramsTest.put("Body", "test"); // "test" is the sms message i always send
boolean isValid = requestValidator.validate(twilioHttpRequest, paramsTest, signature);

And the validation always fail.

I tried many other things:

• without the Body
• without the sdk by following the instructions on twilio website etc. but to no avail.

I also noticed that the incoming signature is always different whenever i send an sms, which makes me think that a date field or something else is being used to generate it.

Any help would be appreciated!

Answer 1

I finally solved this validation problem.

Turns out I was not using all the form parameters sent by Twilio (there are quite a few: https://www.twilio.com/docs/messaging/guides/webhook-request). That's why the validation kept failing.

Also a great help for Spring users: https://github.com/mjg123/ValidatingTwilioWebhooks