New — webhooks your AI agents can wait on. Hook & Sense opening to early access.

Glossary

Signing Secret

The shared key between webhook sender and receiver used to compute HMAC signatures. Treat like a password — leak it and authenticity collapses.

When you register a webhook endpoint, the provider gives you a signing secret (whsec_... at Stripe, a hex string at GitHub). The provider uses it to sign every outgoing webhook; you use the same secret to verify.

Storage: never commit the secret. Use environment variables or a secrets manager. Rotate periodically (every 90 days is reasonable) and immediately if leaked.

Rotation without downtime: most providers let you keep two active secrets temporarily. Configure both in your handler, accept signatures matching either, then phase out the old one after the next provider-side rotation.

How HookSense helps

HookSense stores per-callback-endpoint signing secrets encrypted at rest. `verify_signature` runs in our infra, so the secret never appears in an agent's context, handler logs, or stack traces.

Get a free webhook URL

Related terms