New — webhooks your AI agents can wait on. Hook & Sense opening to early access.

Glossary

Replay Attack

An attack where a captured valid webhook is re-sent later — possibly by an attacker — to trigger duplicate side effects. Defended against with timestamps and idempotency.

A signed webhook proves authenticity but not freshness. If an attacker intercepts a payment.succeeded event today, they can re-send the same exact bytes (signature included) tomorrow — and your handler will accept it as valid.

The defense is two-layered: (1) the sender includes a timestamp in the signed payload, and the receiver rejects requests older than ~5 minutes; (2) the handler deduplicates by event ID so even an in-window replay can't cause duplicate side effects.

Stripe's signature scheme bakes both in: t=1614264600,v1=abc... — the timestamp is part of the signed string, and the SDK rejects messages older than 5 minutes by default.

How HookSense helps

HookSense's `replay_callback` lets an agent re-send any captured callback to any target — useful for testing your replay-attack defenses by replaying a 10-minute-old request and confirming it's rejected before your agent ever sees it.

Get a free webhook URL

Related terms