From 113644f0c3cb7a8bb77e9d978df103664ce97c40 Mon Sep 17 00:00:00 2001
From: Michael Dalva <micdal06@gmail.com>
Date: Sat, 29 Nov 2025 08:41:48 -0800
Subject: [PATCH] Fix webhook signature verification to use original body
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The verifyWebhookEventSignature function was using event.data (the
Zod-validated output) instead of json (the original parsed body) when
computing the signature. This caused verification failures because
Browser Use Cloud signs the raw body, but the SDK was signing the
potentially transformed Zod output.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
---
 src/wrapper/lib/webhooks.ts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/wrapper/lib/webhooks.ts b/src/wrapper/lib/webhooks.ts
index 59936d1..35ae5cf 100644
--- a/src/wrapper/lib/webhooks.ts
+++ b/src/wrapper/lib/webhooks.ts
@@ -81,7 +81,7 @@ export async function verifyWebhookEventSignature(
         }
 
         const signature = createWebhookSignature({
-            body: event.data, // NOTE: We need to encrypt the entire body, not just the payload
+            body: json, // Sign the original parsed body, not the Zod-transformed output
             timestamp: evt.timestamp,
             secret: cfg.secret,
         });