Not able to perform webhook handshake?

Hey everyone,
I have been trying to set up an asana webhook using lambda with an API gateway.
here is lambda’s code I’m using-
import hashlib
import hmac
import json
import logging

logger = logging.getLogger()

hook_secret = None

def lambda_handler(request, context):
global hook_secret“Headers: \n” + str(request[“headers”]))“Body: \n” + str(request[‘body’]))
if “X-Hook-Secret” in list(request[‘headers’].keys()):
if hook_secret is not None:
“Second handshake request received. This could be an attacker trying to set up a new secret. Ignoring.”)
# Respond to the handshake request :slight_smile:“New webhook”) # Save the secret for later to verify incoming webhooks
hook_secret = request[“headers”][“X-Hook-Secret”]
header = {‘X-Hook-Secret’: hook_secret}
response = {
return response
elif “X-Hook-Signature” in list(request[‘headers’].keys()):
# Compare the signature sent by Asana’s API with one calculated locally.
# These should match since we now share the same secret as what Asana has stored.
signature =‘ascii’, ‘ignore’),
msg=str(, digestmod=hashlib.sha256).hexdigest()
if not hmac.compare_digest(signature,
request.headers[“X-Hook-Signature”].encode(‘ascii’, ‘ignore’)):
logging.warning(“Calculated digest does not match digest from API. This event is not trusted.”)
contents = json.loads(“Received payload of %s events”, len(contents[“events”]))
return “”
raise KeyError

And this is the response body and header I get while testing my API gateway-

Response Body

    "method": "POST",
    "body" : "",

Response Headers


Every time I try to create a webhook I get an error with the message “The remote server did not respond with the handshake secret.”
I am not sure what I am doing wrong.
Please help me out, guys.

Have you checked to make sure you’re seeing “New webhook” in your logs to indicate that you are sending back the handshake reply?

yes, I m getting “New webhook” in the logs.
Could you please tell me the JSON schema of the response?
Do I have pass ‘X-Hook-Secret’ or all the headers received in POST request.

I don’t have the complete JSON response handy at the moment, sorry.

Just X-Hook-Secret.

People have had issues with the SSL certificate they’re using and/or configuration at your server; if you haven’t yet, you might search this section of the forum for “The remote server did not respond with the handshake secret” and you’ll find some discussions of those issues.