Webhook signing

Verify signatures before parsing webhook payloads into business logic. Keep the raw request body bytes because signature verification depends on the exact payload sent.

Consumer checklist

Read the raw request body before JSON parsing.
Verify the signature header with the endpoint secret configured for the subscription.
Reject missing, malformed, or stale signatures.
Deduplicate only after verification.
Return 2xx only after durable acceptance.

Endpoint signing secrets are returned only when an endpoint is created or rotated. Store the value immediately and use /v1/webhooks/endpoints/{id}/secret-rotations when you need a replacement secret.

​Webhook signing

​Consumer checklist

Webhook signing

Consumer checklist