Glossary
Webhook Handshake / Verification
A one-time challenge-response a provider sends when you register a new webhook URL, to confirm you own the endpoint.
Before a provider sends real events, many require a handshake to prove the endpoint URL belongs to you. The pattern varies: Slack sends a url_verification event with a challenge string — you must echo it back. Shopify doesn't have a separate handshake but signs every event from the first one. Stripe requires you to add the endpoint via dashboard or API; no challenge.
Custom webhook systems often implement their own challenge — typically a GET request with a query param you must reflect, or a POST with a token to echo.
Handshakes prevent attackers from registering arbitrary URLs as webhook destinations — without them, anyone could redirect a victim's webhooks to a malicious server.
How HookSense helps
HookSense endpoints respond 200 to any incoming request, which passes most handshake patterns out of the box. For challenge-response styles, configure a custom response with a JSONPath body template.
Get a free webhook URL