Articles

Webhook Signatures: Beyond Shared Secrets

March 15, 2026 7 min read

Webhook signature verification is fundamentally about proving an event originated from the claimed source, not just that it arrived from that source.

Let’s say you’re building an application that needs to react to events from a third-party service, like a payment gateway. When a payment is successful, the gateway sends a webhook POST request to your server. But how do you know that request is really from the payment gateway and not some attacker trying to trick your system into thinking a payment succeeded when it didn’t? That’s where webhook signature verification comes in.

Imagine the payment gateway generates a secret key that only it and your application know. When it sends a webhook, it takes the payload (the data about the event), signs it with its secret key using a cryptographic hash function (like SHA-256), and then sends both the payload and the signature in the HTTP headers of the request.

Here’s a simplified look at a webhook request and how you might verify it.

The Incoming Request

Let’s assume a payment gateway sends a webhook for a successful payment.

POST /webhook/payment-success HTTP/1.1
Host: your-app.com
Content-Type: application/json
X-Gateway-Signature: sha256=a1b2c3d4e5f6...
Date: Tue, 15 Nov 2023 10:00:00 GMT

{
  "transaction_id": "txn_12345",
  "amount": 100.00,
  "currency": "USD",
  "status": "succeeded",
  "timestamp": 1699990800
}

In this example, X-Gateway-Signature is the header containing the signature. The sha256= prefix tells us the algorithm used. The body is the JSON payload.

Verification on Your Server

Your server receives this request. To verify it, you need to:

  1. Retrieve the Signature: Extract the X-Gateway-Signature header. In our example, it’s sha256=a1b2c3d4e5f6....
  2. Get the Raw Payload: Access the exact, unaltered request body. This is crucial. Any change, even a whitespace, will invalidate the signature.
  3. Recompute the Signature: Using the same secret key that the gateway used (which you should have securely stored on your server) and the same hashing algorithm (SHA-256), you calculate the signature of the raw payload.
  4. Compare Signatures: Compare the signature you just computed with the signature received in the header. If they match exactly, you can be confident the request came from the gateway and the payload hasn’t been tampered with in transit.

Example Code Snippet (Python/Flask)

import hmac
import hashlib
import json

# Assume this is your securely stored secret key from the gateway
GATEWAY_SECRET = "your-super-secret-key-that-nobody-knows"

def verify_webhook_signature(request):
    signature_header = request.headers.get('X-Gateway-Signature')
    if not signature_header:
        return False, "Missing signature header"

    # Remove the algorithm prefix (e.g., 'sha256=')
    try:
        algo, signature = signature_header.split('=', 1)
    except ValueError:
        return False, "Invalid signature format"

    if algo != 'sha256':
        return False, f"Unsupported algorithm: {algo}"

    # Get the raw request body
    raw_payload = request.data

    # Recompute the signature
    computed_signature = hmac.new(
        GATEWAY_SECRET.encode('utf-8'),
        raw_payload,
        hashlib.sha256
    ).hexdigest()

    # Compare signatures
    if hmac.compare_digest(signature, computed_signature):
        return True, "Signature verified"
    else:
        return False, "Signature mismatch"

# In your Flask route:
@app.route('/webhook/payment-success', methods=['POST'])
def handle_payment_webhook():
    is_valid, message = verify_webhook_signature(request)
    if not is_valid:
        return jsonify({"error": message}), 400

    payload_data = json.loads(request.data)
    # Process the validated payload_data...
    return jsonify({"message": "Webhook received successfully"}), 200

Why is this so critical?

Without verification, an attacker could intercept legitimate webhook requests, modify them (e.g., change the amount or status), and resend them to your server. Your server, unaware of the tampering, would then process fraudulent events. Signature verification ensures data integrity (the data hasn’t been altered) and authenticity (the data came from the expected source).

Common Pitfalls and Nuances

  • Timestamp Verification: While signatures prove origin and integrity, they don’t inherently prevent replay attacks (where an attacker resends a valid, old webhook). Many services include a timestamp in the payload. Your server should check that this timestamp is recent (e.g., within the last 5 minutes) to mitigate replay attacks.
  • Secret Key Management: The secret key must be kept absolutely confidential. If an attacker obtains it, they can forge signatures. Store it securely, not in your code repository.
  • Payload Tampering: Crucially, the signature must be computed over the exact raw request body. If your server parses the JSON and then re-serializes it before signing, or if HTTP headers are altered between the sender and your receiver, the signature will fail. Some services sign a specific concatenation of headers and the body. Always read the provider’s documentation carefully.
  • Algorithm Mismatch: Ensure your server uses the same hashing algorithm (e.g., sha256, sha1, hmac-sha256) as the sender.
  • Timing Attacks: When comparing signatures, use a constant-time comparison function like hmac.compare_digest in Python. This prevents attackers from inferring parts of the signature by measuring how long the comparison takes.

The next crucial step after verifying a webhook is often handling potential race conditions or ensuring idempotency if the same webhook might be sent multiple times.

Want structured learning?

Take the full Http course →