diff --git a/lark_oapi/card/action_handler.py b/lark_oapi/card/action_handler.py
index 460f87587..930f02443 100644
--- a/lark_oapi/card/action_handler.py
+++ b/lark_oapi/card/action_handler.py
@@ -100,8 +100,8 @@ def _verify_sign(self, request: RawRequest) -> None:
         timestamp = request.headers.get(LARK_REQUEST_TIMESTAMP)
         nonce = request.headers.get(LARK_REQUEST_NONCE)
         signature = request.headers.get(LARK_REQUEST_SIGNATURE)
-        bs = (timestamp + nonce + self._verification_token).encode(UTF_8) + request.body
-        h = hashlib.sha1(bs)
+        bs = (timestamp + nonce + self._encrypt_key).encode(UTF_8) + request.body
+        h = hashlib.sha256(bs)
         if signature != h.hexdigest():
             raise AccessDeniedException("signature verification failed")