Webhook and X-Hook-Sercret

Question

Hi. I have a webhook api and I like it to be authenticated against. I have sent a secret parameter to WebHook and Wrike has called my Webhook. { "HttpHeaders": { "Connection": "keep-alive", "Host": "otava-cloudtestcrossplat-agent.frendsapp.com", "User-Agent": "Apache-HttpAsyncClient/4.1.5 (Java/21.0.7)", "Content-Type": "application/json; charset=UTF-8", "traceparent": "00-e9c2349b6ff30fdac991882b34a911ec-34881263708ade27-00", "Content-Length": "46", "X-Hook-Secret": "SJLC0Qxkm0BtUHKplEZP5fHkUPi78LKn", "X-Hook-Signature": "030b2b0a41c6dad8e156f97681f5a0280642f696b1df703a90d270ffbb5bf7a9" }, "PathParameters": {}, "QueryParameters": {}, "HttpParameters": {}, "HttpMethod": "POST", "HttpRequestUri": "", "HttpClientIp": "160.19.162.101", "HttpCookies": {}, "Username": "Anonymous", "HttpContentBytesInBase64": null, "HttpBody": "{"requestType": "WebHook secret verification"}" } I will use the "HttpBody" of the reaquest as the challenge and I have done more or less the same as the copilot and Your https://developers.wrike.com/webhooks/ tells me to. 3. I have the (common) secret and I'm using it to decide if the hmacsha256(secret,httpbody) matches the signature that I receive from header ( X-Hook-Signature ) . if it matches I will provide the response header ( X-Hook-Secret ) with a value I have calculated with hmacsha256(secret,request header ( X-Hook-Secret) ) Otrhewise I will leave the content empty… so I will only sent these headers to the caller. HTTP/2 200 date: Wed, 25 Feb 2026 12:16:56 GMT server: Kestrel X-Hook-Secret: But I get a reply from cloudflare { "Body": { "errorDescription": "Web hook url handshake failed", "error": "invalid_parameter" }, "Headers": { "Content-Type": "application/json; charset=UTF-8", "Content-Length": "80", "Date": "Wed, 25 Feb 2026 12:11:42 GMT", "Connection": "keep-alive", "CF-RAY": "9d371b521a7b0a0e-HEL", "wrike-response-id": "6014f356c14f43b", "Cache-Control": "no-store, must-revalidate, no-cache, max-age=0", "X-XSS-Protection": "1; mode=block", "X-Content-Type-Options": "nosniff", "Strict-Transport-Security": "max-age=31536000; includeSubDomains; preload", "accept-ch": "Sec-CH-UA,Sec-CH-UA-Mobile,Sec-CH-UA-Full-Version,Sec-CH-UA-Platform,Sec-CH-UA-Platform-Version,Sec-CH-UA-Arch,Sec-CH-UA-Bitness,Sec-CH-UA-Model", "traceid": "e9c2349b6ff30fdac991882b34a911ec", "cf-cache-status": "DYNAMIC", "Server": "cloudflare" }, "StatusCode": 400} Whenever I register the WebHook ( 1. ) What is the cause?

Rohan V · Answer

Hi @Vesa Palssa 🙋‍♂️ thanks for taking the time to post here in the Community.

To assist you further with your query, I’ve asked our Support team to help, and you can expect them to be in touch with you shortly 👍