Why Am I Receiving The "Invalid signature: Expected HMAC SHA256" Error?

This error comes from Pusher’s server when you're trying to subscribe to a private / presence channel. It happens because of the token mismatch: your client is not receiving the correct signature from your auth endpoint. The error is reported on the client side, this is why you see it in Client Logs in Dashboard.

There are three variables that matter to generate a valid auth token: a secret key, a channel name, and a socket id. So the problem is in one of them. Double check in your server and client code that these values are correct. This page shares more information about authentication mechanism: https://pusher.com/docs/channels/library_auth_reference/auth-signaturesHere's what happens: – when a new pusher object is creating on a client, it calls your auth endpoint – the auth endpoint on your server signs a token using the authenticate method of our server library – your client gets the token from the auth endpoint – your client attempts to subscribe to a presence channel with that token – the token signature is invalid, and "Expected HMAC SHA256 hex digest..." is reported in your error logs.

It is also possible to experience this issue when the client reconnects during the auth process. A detailed pattern for this is show in the steps below. While this can cause this error to be emitted, in this scenario the client should be able to subscribe to the channel and so the impact of the error is minimal. understanding if the client is able to subscribe successfully is a good way to ensure the below scenario is in play.

  1. Client connects to Channels

  2. Client receives socket ID

  3. Client requests auth token using socket ID.

  4. Client reconnects

  5. Client receives a new socket ID

  6. Client receives auth request response from step 3.

  7. Client emits the invalid HMAC error

  8. Client requests new auth token with new socket ID

  9. Client successfully subscribes to channel

As the client receives an auth token using an old socket ID at step 6, the token received is not valid and so an error is emitted at step 7. However, the flow continues through steps 8 and 9 which means the client is now subscribed to the channel. This means there should be minimal user disruption caused by this error. You can't catch those errors server side, but you can catch those errors on a client and then send the info to your server with some special library (example: https://www.bugsnag.com/platforms/javascript/). If you use js-library the code snippet will look something like this:

       pusher.connection.bind( 'error', function( err ) {
          if (err.error.data.message.includes("Invalid signature")) {
            <send the error log to your server>

Still have questions? Please reach out to our Support team by visiting this page.

Last updated