New — webhooks your AI agents can wait on. Hook & Sense opening to early access.

Glossary

Webhook Signature

A cryptographic header attached to a webhook request that lets the receiver prove the message is genuine and untampered.

A webhook signature is a header value computed by the sender from the request body plus a shared secret. Common headers: Stripe-Signature, X-Hub-Signature-256 (GitHub), X-Shopify-Hmac-Sha256, X-Slack-Signature.

Most modern providers use HMAC-SHA256, but the encoding differs: some prefix the algorithm (sha256=...), some include a timestamp (t=12345,v1=abc...), some base64-encode the digest. Reading the provider's docs carefully matters — mismatched encoding is the #1 signature verification bug.

Without verification, any attacker who knows your webhook URL can POST a fake payment-succeeded event and trick your system into shipping product.

How HookSense helps

When an AI agent awaits a callback through HookSense, the signature header, expected algorithm, and pass/fail status come back with the payload — so `verify_signature` settles authenticity before your agent acts, not after.

Get a free webhook URL

Related terms