Operations

Webhook signature verification

Webhook signature verification is the security pattern of cryptographically verifying that an incoming webhook actually came from the claimed source (Stripe, GitHub, Slack). Without it, anyone can spoof your webhook endpoint and trigger arbitrary actions.

More detail

Pattern: provider signs the payload with a shared secret + HMAC-SHA256; you re-compute the signature on receipt + compare. Stripe, GitHub, Slack, Calendly all support this. Always verify before acting on payload data, even in 'private' endpoints — webhook URLs leak through deployment logs, screenshots, and CI configs.

More detail

Related terms

More detail

Related terms