I receive "Invalid signature: Expected HMAC SHA256" error – what is that?

 This error comes from Pusher’s server when you're trying to subscribe to a private / presence channel. It happens because of the token mismatch: your client is not receiving the correct signature from your auth endpoint. The error is reported on the client side, this is why you see it in Client Logs in Dashboard.

There are three variables that matter to generate a valid auth token: a secret key, a channel name, and a socket id. So the problem is in one of them. Double check in your server and client code that these values are correct. This page shares more information about authentication mechanism: https://pusher.com/docs/auth_signatures

Here's what happens:
– when a new pusher object is creating on a client, it calls your auth endpoint
– the auth endpoint on your server signs a token using the authenticate method of our server library
– your client gets the token from the auth endpoint
– your client attempts  to subscribe to a presence channel with that token
– the token signature is invalid, and "Expected HMAC SHA256 hex digest..." is reported in your error logs.


You can't catch those errors server side, but you can catch those errors on a client and then send the info to your server with some special library (example: https://www.bugsnag.com/platforms/javascript/). If you use js-library the code snippet will look something like this:

       pusher.connection.bind( 'error', function( err ) {
         if (err.error.data.message.includes("Invalid signature")) {
           <send the error log to your server>
         };


It would be much cleaner if we could use the error code, unfortunately, we don't have an error code associated with "Invalid signature" error for now.

Was this article helpful?
0 out of 0 found this helpful
Haven't found what you were looking for?
Submit a ticket