Hi! This post is supposed to be a helpful post related to the HMAC-SHA1 signature generation involved in verifying update notifications in the subscriptions API with the X-Fitbit-Signature header. I am using .NET Core.

I had never done any cryptography signature verification before, so it took me a while to figure this out. It would have really helped to be able to see some example code, so I wanted to provide some here. The following works for me. The expected signature and provided signature are the same. 

string key = app_secret + "&";
var key_bytes = Encoding.ASCII.GetBytes(key);
string signature_provided = Request.Headers["X-Fitbit-Signature"];
HMACSHA1 myhmacsha1 = new HMACSHA1(key_bytes);
byte[] byteArray = Encoding.ASCII.GetBytes(updates.ToString());
MemoryStream stream = new MemoryStream(byteArray);
byte[] hashValue = myhmacsha1.ComputeHash(stream);
string expected_signature = Convert.ToBase64String(hashValue);

"updates" is a JsonElement captured as a method parameter with the [FromBody] tag in the method signature. My signature looks like this: public async Task<IActionResult> UpdateWebHook([FromBody] JsonElement updates). I have a [HttpPost] tag above to help with routing.