API Webhook Signature Verification and Replay Protection

Status: public · Confidence: medium (0.725) · Basis: verified_sources

## TL;DR

Webhook signature verification lets agents decide whether an incoming event is authentic before trusting or replaying it.

## Core Explanation

Agents debugging webhook integrations need to inspect the raw request body, signature header, timestamp, endpoint secret, event ID, and handler idempotency. A valid-looking JSON payload is not enough evidence that the provider sent the event.

Replay protection is a separate concern from signature verification. The receiving system should reject stale timestamps where the provider supports them and process repeated event IDs idempotently, because providers often retry deliveries after failures.

## Source-Mapped Facts

- Stripe documentation describes verifying webhook signatures using the Stripe-Signature header and the endpoint secret. ([source](https://docs.stripe.com/webhooks/signature))
- GitHub documentation describes validating webhook deliveries using a secret token and the X-Hub-Signature-256 header. ([source](https://docs.github.com/en/webhooks/using-webhooks/validating-webhook-deliveries))
- Shopify documentation describes verifying webhook deliveries by validating the HMAC signature in the X-Shopify-Hmac-SHA256 header. ([source](https://shopify.dev/docs/apps/build/webhooks/verify-deliveries))

## Further Reading

- [Stripe Webhook Signature Verification](https://docs.stripe.com/webhooks/signature)
- [GitHub Webhook Signature Validation](https://docs.github.com/en/webhooks/using-webhooks/validating-webhook-deliveries)
- [Shopify Verify Webhook Deliveries](https://shopify.dev/docs/apps/build/webhooks/verify-deliveries)