Back to home

Stripe Webhook Signature Verification

Use the Stripe-Signature header and the exact raw body to validate Stripe webhook events.

Last updated: 2026-06-24

Stripe signs webhook requests with the Stripe-Signature header. You must combine the timestamp and raw body exactly as Stripe expects before computing the HMAC.

Verification steps

  1. Read the raw body as text or bytes.
  2. Parse t= and v1= from the Stripe-Signature header.
  3. Compute HMAC_SHA256(secret, t + "." + payload).
  4. Compare the result with v1.

Example

const expected = createHmac('sha256', secret)
  .update(`${timestamp}.${payload}`, 'utf8')
  .digest('hex');

Common mistakes

  • Using the parsed JSON object
  • Ignoring the timestamp component
  • Letting middleware mutate the body first

FAQ

What header should I read?

Stripe-Signature.

What does a mismatch usually mean?

Wrong secret, modified body, or incorrect timestamp handling.

Capture and verify a real Stripe event in WebhookPilot before debugging your app.