Webhook Signature Verification Guide

Always verify webhook signatures against the raw body before trusting the request.

Last updated: 2026-06-24

Webhook signature verification proves that the payload really came from the provider and was not modified in transit. It should happen before you trust the event or write business data.

General flow

Read the raw request body.
Read the provider's signature header.
Compute the expected digest with your shared secret.
Compare them using a constant-time check.
Reject mismatches.

Common mistakes

Verifying against parsed JSON instead of the raw body
Logging the shared secret
Accepting unsigned requests in production

FAQ

Which providers use webhook signatures?

Stripe, GitHub, Shopify, Slack, and many others.

Why constant-time comparison?

It reduces timing attack leakage when comparing secret-derived values.

Provider-specific examples:

Stripe webhook signature verification
GitHub X-Hub-Signature-256 verification
Shopify HMAC verification