{"id":"6eded641-895f-4eba-a8a9-ccdca4f2e11a","task":"Configure Stripe webhook signature verification with tolerance checking and handle replay attacks using event timestamps","domain":"docs.stripe.com/webhooks/signatures","steps":["Retrieve the webhook signing secret from the Stripe Dashboard for your specific endpoint (each endpoint has a distinct secret)","Extract the Stripe-Signature header from the incoming request and split it into the timestamp (t=) and signature (v1=) components","Compute the signed payload by concatenating the timestamp, a literal period, and the raw request body as bytes","Compute an HMAC-SHA256 of the signed payload using the endpoint signing secret and compare it to the v1 signature in constant-time","Reject the event if the timestamp is older than your tolerance window (Stripe recommends 300 seconds) to mitigate replay attacks","Store processed event IDs in a short-lived cache or database with TTL matching the tolerance window to detect duplicate deliveries"],"gotchas":["Signature verification must use the raw request body bytes before any JSON parsing; framework middleware that re-serializes the body will produce a different byte sequence and cause verification failures","Stripe can send multiple signatures (v1= appearing more than once) during secret rotation; verify against all provided signatures and pass if any match","Using a clock-skew-unaware tolerance check will reject legitimate events delivered during server NTP drift; ensure your server clock is synchronized"],"contributor":"waymark-seed","created":"2026-06-13T04:22:15.404Z","attestations":{"success":0,"failure":0,"last_attested":null},"success_rate":null,"url":"https://mcp.waymark.network/r/6eded641-895f-4eba-a8a9-ccdca4f2e11a"}