Signature Verification
Many webhook providers sign their requests with a secret key so you can verify the request is authentic. SpidyLabs can verify these signatures automatically.
What Is Webhook Signature Verification?
When a service sends a webhook, it often includes a cryptographic signature in the headers. This signature is computed from the request body and a shared secret. By verifying this signature, you confirm:
- The request came from the expected sender
- The request body wasn't tampered with in transit
Supported Providers
Stripe
Stripe signs webhooks with the Stripe-Signature header using HMAC-SHA256.
Header: Stripe-SignatureFormat: t=timestamp,v1=signature
To configure:
- Copy your Stripe webhook signing secret from the Stripe Dashboard
- Enter it in SpidyLabs bin settings under Signature Verification
- Select "Stripe" as the provider
GitHub
GitHub signs webhooks with the X-Hub-Signature-256 header using HMAC-SHA256.
Header: X-Hub-Signature-256Format: sha256=signature
To configure:
- Copy your GitHub webhook secret
- Enter it in SpidyLabs bin settings under Signature Verification
- Select "GitHub" as the provider
Generic HMAC
For other providers that use HMAC signatures:
- Enter your signing secret
- Select "Generic HMAC" as the provider
- Specify the header name containing the signature
- Choose the HMAC algorithm (SHA-256, SHA-1, etc.)
Verification Status
Once configured, each request shows a verification badge:
- Verified — Signature matches. The request is authentic.
- Failed — Signature doesn't match. The request may be tampered with or the secret is wrong.
- No Signature — The request didn't include a signature header.
Security Notes
- Your signing secret is stored securely and never exposed in the UI after saving
- Signature verification happens server-side
- Even if verification fails, the request is still captured for inspection
- This feature helps you debug signature verification issues in your own code