Symptom

All webhook signature verification fails. Merchants report that they cannot verify any webhook signatures.

What you know

Dispatch is a webhook delivery platform. When a payment event occurs, Dispatch signs the payload and sends it to merchant endpoints. Merchants verify signatures by reconstructing the signed string from the header timestamp and payload.

The signed string format is: ${timestamp}.${payload}

Merchants use the timestamp from the X-Dispatch-Timestamp header to reconstruct this string, then compare the HMAC against the X-Dispatch-Signature header.

Every single merchant reports verification failures — this is not intermittent.

Event → Header Builder → HMAC Signer → HTTP Delivery → Merchant Verification

[header-builder] Signed headers built
  eventId=evt_abc
  headerTimestamp=1731677521    ← seconds
  algorithm=sha256

[hmac-signer] Computing signature
  algorithm=sha256
  timestamp=1731677521000       ← milliseconds!
  signedStringPrefix="1731677521000.{\"event\":\"charge..."