Verify Signature for Moralis Streams not working

export function verifySignature(req: any, secret: string) {
    const ProvidedSignature = req.headers['x-signature'];
    if (!ProvidedSignature) {
        throw new Error('Signature not provided');
    const GeneratedSignature = web3.utils.sha3(JSON.stringify(req.body) + secret);
    if (GeneratedSignature !== ProvidedSignature) {
        throw new Error('Invalid Signature');

This verify signature function did not work for me. I’m unable to verify streams

1 Like

What doesn’t work? Where it fails?

The GeneratedSignature does not match the ProvidedSignature

Did you use your api key as the secret?

Having the same issue. Yes I’m using the API key as the secret.

Our particular setup is using a Fastify web server and pulling the body from the request.

Potentially irrelevant sidenote: I prefer ethersjs to web3. Might allow us to configure our own “signature” on the backend and/or provide parallel examples (e.g. Keccak256)

What is the issue that you have? What is the code that you use to validate the signature? You can use any library to compute the hash.

Disregard. That was on me. Over-engineered it. Still mentally in contract land with packing and encoding.

A simple worked.

1 Like

Hi having a similar issue with invalid signatures @cryptokid I’m working with remix

    const payload = await request.json();
    const signature = request.headers.get('x-signature');

It is getting the signature fine, but telling me the signature is invalid.

  body: payload,
  signature: signature,

The error I am getting is:
MoralisError [Moralis Stream Error]: [S0004] signature is not valid

@cryptokid we’re experiencing this issue as well. We also get a MoralisError [Moralis Stream Error]: [S0004] signature is not valid error. One of our streams was shut down for too many failed deliveries as a result. When retrying these failed deliveries, some execute successfully and some do not for the same reason. Note that our retries that failed only occured when I spammed them all at once. Perhaps this is a timing issue?

1 Like

I don’t know what could have caused an invalid signature check. Could you manually check a signature for a request that failed to check the signature?

For everyone having this issue - make sure you’re setting the streamsSecret correctly. Programmatic by:

      streamsSecret: MORALIS_API_KEY,

or manually by settings it in the Moralis settings page: