# 57012: Signature invalid

Log Type: APPLICATION

Log Level: ERROR

## Description

This error means the webhook signature on an incoming Messaging request did not match the signature Twilio calculated for that request. Twilio signs inbound webhooks with `X-Twilio-Signature`. For `application/json` requests, Twilio also includes a `bodySHA256` query parameter and expects you to validate the raw request body.

### Possible causes

* You validated the request against a URL that is not exactly the same as the webhook URL Twilio used, including query parameters or URL-encoded characters.
* You did not pass all received form parameters to the validator, or your framework trimmed whitespace from `POST` body fields.
* You treated a JSON webhook body like form data instead of passing the raw body to `validateRequestWithBody`.
* You used the wrong `AuthToken`, including a secondary token that has not been promoted to Primary AuthToken.

### Possible solutions

* Validate the request with the exact webhook URL Twilio requested, and keep any query parameters URL-encoded.
* For `application/x-www-form-urlencoded` requests, pass every received parameter to the SDK validation helper.
* For `application/json` requests, pass the raw body string to `validateRequestWithBody` and let the SDK verify the `bodySHA256` value.
* Use your Primary `AuthToken`, and prefer Twilio's signature validation helpers instead of a custom implementation.

#### Additional resources

* [Webhooks security](/docs/usage/webhooks/webhooks-security)
* [Security](/docs/usage/security)
* [Secure your Flask App by Validating Incoming Twilio Requests](/docs/usage/tutorials/how-to-secure-your-flask-app-by-validating-incoming-twilio-requests)