Wrike Secure Webhooks Returns Invalid Parameter

This may be an issue on my part, but when I am trying to implement Secure Webhooks by passing in a secret parameter I am getting the following error returned:

"errorDescription": "Web hook url handshake failed",
"error": "invalid_parameter"

Registering the webhook without passing in this secret parameter seems to work just fine. I've reviewed the documentation considerably but cannot find why the error is occurring. Is there anything wrong with the URL I'm using is formatted? (Removed hookURL for security purposes)

Spot On Innovative Approach Stellar Advice

Hi Russell, welcome to the Community and thanks for reaching out 🙂

I'm going to raise a Support ticket for you now so that someone from the team could help you with this. You'll get a notification soon 🙌

Lisa Community Team at Wrike Wrike Product Manager Become a Wrike expert with Wrike Discover

Lisa Wrike Team member Become a Wrike expert with Wrike Discover

Spot On Innovative Approach Stellar Advice

Has this been resolved? I'm getting the same error as described above when trying to set up a hook with a secret

Spot On Innovative Approach Stellar Advice

I am also getting the same error and wondering if this is an error on my side, or on Wrike's server.

Spot On Innovative Approach Stellar Advice

Just following up on this, but I was able to get this resolved after getting in touch with the Wrike support team. There wasn't any additional information I had to work with that wasn't in the documentation other than this extra step they provided:

All further events from this webhook will contain the X-Hook-Secret header with value hmacSha256(key: secret, value: request body), so the client can check authenticity of the events.

In case of a handshake failure, Wrike responds to client with HTTP status = 400 and "error": "invalid_parameter", "errorDescription": "Web hook url handshake failed".


The problem I ran into was primarily a fault of how I handled the handshake's creation. On my personal side of things I had to make sure:

  1. The hashed X-Hook-Secret header during initial creation was sent as a response
  2. Handshake registration was done through the payload url (Had a middleware used for this)
  3. Firewall settings allowed IP addresses in range:
Spot On Innovative Approach Stellar Advice

Thank you Russell. Your tips helped me find my issue as well.

For me, I was bypassing the handshake with an if-statement for all requests that had an empty req.body, but I used poor logic in the if-statement.

Now I am struggling to achieve a match between the hashed body and the X-Hook-Secret on all non-handshake POST requests.

const hashAttempt = req.get('X-Hook-Secret')
const hashedMessage = hmacSha256(JSON.stringify(req.body), process.env.HOOK_SECRET)

> f3907d9a7ba1207a7cbe8cabcc9c3f8da3e361d65124b6af29cf74b57b8d0a38
> 11fc11d4474eb39a257b08ff6487904f905a97a1c6a9c642f669b7bb46578c68

Where HOOK_SECRET is the same secret that was used to respond to the secure webhook registration.

Have you gotten a match on your end?

Spot On Innovative Approach Stellar Advice

The solution to my problem was to decode the request body to text manually, instead of depending on a library.


Using this plain-text string of the request body gave me a matching hmacSha256 hash.


Folllowing List for Post: Wrike Secure Webhooks Returns Invalid Parameter
[this list is visible for admins and agents only]

Didn’t find what you were looking for? Write new post