Launch special — let's split the check with SPLITCHECK for 50% off
Share feedback →

Glossary

Webhook Signature

A cryptographic header attached to a webhook request that lets the receiver prove the message is genuine and untampered.

A webhook signature is a header value computed by the sender from the request body plus a shared secret. Common headers: Stripe-Signature, X-Hub-Signature-256 (GitHub), X-Shopify-Hmac-Sha256, X-Slack-Signature.

Most modern providers use HMAC-SHA256, but the encoding differs: some prefix the algorithm (sha256=...), some include a timestamp (t=12345,v1=abc...), some base64-encode the digest. Reading the provider's docs carefully matters — mismatched encoding is the #1 signature verification bug.

Without verification, any attacker who knows your webhook URL can POST a fake payment-succeeded event and trick your system into shipping product.

How HookSense helps

Every webhook captured by HookSense shows the signature header, the expected verification algorithm, and pass/fail status — so you debug encoding mismatches in the UI, not after deploy.

Get a free webhook URL

Related terms

HMAC →Signing Secret →Replay Attack →