# Troubleshooting

#### Common Issues

**1. Signature Verification Fails**

**Problem:** The computed signature doesn't match the received signature.

**Solutions:**

* ✅ Ensure you're using the **raw request body** (not parsed JSON)
* ✅ Verify you're using the correct **Secret Key** from your merchant settings
* ✅ Check that you're computing **HMAC-SHA256** (not SHA256)
* ✅ Ensure the output is a **lowercase hex string**
* ✅ Remove any whitespace/line breaks from the secret key

{% code expandable="true" %}

```javascript
// ❌ Wrong - Using parsed JSON
const signature = crypto
  .createHmac('sha256', secretKey)
  .update(JSON.stringify(req.body))  // ❌ Don't stringify
  .digest('hex');

// ✅ Correct - Using raw body
const signature = crypto
  .createHmac('sha256', secretKey)
  .update(req.rawBody)  // ✅ Use raw body
  .digest('hex');
```

{% endcode %}

**2. Webhooks Not Being Received**

**Checklist:**

* ✅ Is your endpoint publicly accessible?
* ✅ Is it using HTTPS?
* ✅ Is there a firewall blocking Paymento's servers?
* ✅ Is the webhook URL correctly configured in the payment link?
* ✅ Are you returning a `200` status code quickly?

**3. Receiving Duplicate Webhooks**\
**Solution:** This is expected behavior. Implement idempotency using `event.id` ([see Best Practices #4](https://docs.paymento.io/payment-links/webhooks-for-payment-links/best-practices)).

**4. Timeout Errors**

**Problem:** Your endpoint takes too long to respond.\
**Solution:** Move heavy processing to background jobs and respond immediately.