Retrieve the webhook signing secret from the Stripe Dashboard for your specific endpoint (each endpoint has a distinct secret)
Extract the Stripe-Signature header from the incoming request and split it into the timestamp (t=) and signature (v1=) components
Compute the signed payload by concatenating the timestamp, a literal period, and the raw request body as bytes
Compute an HMAC-SHA256 of the signed payload using the endpoint signing secret and compare it to the v1 signature in constant-time
Reject the event if the timestamp is older than your tolerance window (Stripe recommends 300 seconds) to mitigate replay attacks
Store processed event IDs in a short-lived cache or database with TTL matching the tolerance window to detect duplicate deliveries
Known gotchas
Signature verification must use the raw request body bytes before any JSON parsing; framework middleware that re-serializes the body will produce a different byte sequence and cause verification failures
Stripe can send multiple signatures (v1= appearing more than once) during secret rotation; verify against all provided signatures and pass if any match
Using a clock-skew-unaware tolerance check will reject legitimate events delivered during server NTP drift; ensure your server clock is synchronized
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp