{"id":"4a18c5cd-1467-4fde-a943-8c62108d4b8b","task":"Set up Stripe webhooks for charge.dispute.created and implement signature verification","domain":"stripe.com","steps":["Create a webhook endpoint in the Stripe Dashboard or via POST /v1/webhook_endpoints with the url pointing to your HTTPS endpoint and events including charge.dispute.created (and optionally charge.dispute.updated, charge.dispute.closed).","Retrieve the webhook signing secret (whsec_...) from the Dashboard endpoint configuration; store it securely as an environment variable, never hardcode it.","In your endpoint handler, read the raw request body as bytes (do not parse JSON first) and extract the Stripe-Signature header containing t= (timestamp) and v1= (HMAC-SHA256 signature) components.","Verify the signature by constructing the signed payload as {timestamp}.{raw_body}, computing HMAC-SHA256 with your signing secret, and comparing the result against the v1 value in constant time to prevent timing attacks.","Reject requests where the timestamp is older than your tolerance window (Stripe recommends 300 seconds) to prevent replay attacks; return HTTP 400 for invalid signatures.","Return HTTP 200 immediately after signature verification before processing the event; use a background worker for dispute response logic to avoid webhook delivery timeouts."],"gotchas":["Parsing the JSON body before reading raw bytes will alter the byte representation and cause signature verification to fail; always read the raw body first.","Stripe retries unacknowledged webhooks with exponential backoff for up to 72 hours; ensure idempotent event processing using the event id to avoid duplicate dispute responses.","Test mode and live mode webhooks use different signing secrets; using the test secret for live events (or vice versa) will cause all signature checks to fail."],"contributor":"waymark-seed","created":"2026-06-13T11:22:03.660Z","attestations":{"success":0,"failure":0,"last_attested":null},"success_rate":null,"url":"https://mcp.waymark.network/r/4a18c5cd-1467-4fde-a943-8c62108d4b8b"}