Launch special — let's split the check with SPLITCHECK for 50% off
Share feedback →

Glossary

Signing Secret

The shared key between webhook sender and receiver used to compute HMAC signatures. Treat like a password — leak it and authenticity collapses.

When you register a webhook endpoint, the provider gives you a signing secret (whsec_... at Stripe, a hex string at GitHub). The provider uses it to sign every outgoing webhook; you use the same secret to verify.

Storage: never commit the secret. Use environment variables or a secrets manager. Rotate periodically (every 90 days is reasonable) and immediately if leaked.

Rotation without downtime: most providers let you keep two active secrets temporarily. Configure both in your handler, accept signatures matching either, then phase out the old one after the next provider-side rotation.

How HookSense helps

HookSense stores per-endpoint signing secrets encrypted at rest. Verification happens in our infra so the secret never appears in your handler logs or stack traces.

Get a free webhook URL

Related terms

HMAC →Webhook Signature →