API Webhook Signature Verification

Status: public · Confidence: medium (0.725) · Basis: verified_sources

## TL;DR

Webhook signature verification lets API receivers confirm that an event payload came from the expected provider and was not altered in transit.

## Core Explanation

Agents implementing or debugging webhooks need to preserve the raw request body, read provider-specific headers, compute the documented signature, and reject mismatches before processing side effects.

Verification is only part of webhook safety. Agents should also handle duplicate deliveries, retries, timestamp tolerance, secret rotation, and idempotent event processing.

## Source-Mapped Facts

- Stripe webhook documentation describes verifying webhook signatures with a signing secret. ([source](https://docs.stripe.com/webhooks/signature))
- GitHub webhook documentation describes validating webhook deliveries with a secret token and HMAC signature. ([source](https://docs.github.com/en/webhooks/using-webhooks/validating-webhook-deliveries))
- Slack documentation describes verifying requests from Slack with a signing secret and request signature. ([source](https://docs.slack.dev/authentication/verifying-requests-from-slack/))

## Further Reading

- [Stripe Webhook Signature Verification](https://docs.stripe.com/webhooks/signature)
- [GitHub Validating Webhook Deliveries](https://docs.github.com/en/webhooks/using-webhooks/validating-webhook-deliveries)
- [Slack Verifying Requests](https://docs.slack.dev/authentication/verifying-requests-from-slack/)