What is a Webhook Secret?

A webhook secret is a shared cryptographic key used to sign webhook payloads and verify their authenticity. When a service like GitHub, Stripe, or Shopify sends a webhook to your application, they include an HMAC signature computed using the webhook secret. Your application can then verify the signature to ensure the webhook genuinely came from the service and wasn't tampered with in transit.

Our webhook secret generator creates cryptographically secure secrets suitable for production webhook integrations. The webhook secret should be kept confidential and shared only between you and the webhook provider. Never expose webhook secrets in client-side code or public repositories.

How Webhook Signature Verification Works

Service generates signature: The webhook provider (e.g., Stripe) computes an HMAC signature of the payload using your webhook secret.
Signature sent with payload: The signature is included in HTTP headers (e.g., X-Hub-Signature, X-Stripe-Signature).
Your app receives webhook: Your endpoint receives the payload and signature header.
Compute expected signature: Using your stored webhook secret, compute the HMAC signature of the received payload.
Compare signatures: If computed signature matches the received signature, the webhook is authentic.

Webhook Secret Usage by Service

GitHub Webhooks

GitHub sends webhook secrets in the X-Hub-Signature-256 header using HMAC-SHA256.

Header format: sha256=<signature>

Stripe Webhooks

Stripe sends signatures in Stripe-Signature header with timestamp and versioned signatures.

Uses HMAC-SHA256, includes replay attack protection

Shopify Webhooks

Shopify sends signatures in X-Shopify-Hmac-SHA256 header using Base64-encoded HMAC.

Signature is Base64-encoded HMAC-SHA256

Generic Webhooks

Most webhook systems use similar patterns: HMAC-SHA256 signature sent in HTTP headers.

Common header names: X-Signature, X-Webhook-Signature

Webhook Verification Examples

Here's how to verify webhook signatures using your webhook secret:

Node.js - Verify GitHub Webhook

const crypto = require('crypto');

function verifyGitHubWebhook(payload, signature, secret) {
  const hmac = crypto.createHmac('sha256', secret);
  const digest = 'sha256=' + hmac.update(payload).digest('hex');
  
  return crypto.timingSafeEqual(
    Buffer.from(signature),
    Buffer.from(digest)
  );
}

// Usage
app.post('/webhook', (req, res) => {
  const signature = req.headers['x-hub-signature-256'];
  const payload = JSON.stringify(req.body);
  const secret = process.env.WEBHOOK_SECRET;
  
  if (verifyGitHubWebhook(payload, signature, secret)) {
    // Webhook is authentic
    res.status(200).send('OK');
  } else {
    res.status(401).send('Unauthorized');
  }
});

Python - Verify Stripe Webhook

import stripe
import os

# Stripe provides a helper library
stripe.api_key = os.environ['STRIPE_API_KEY']
endpoint_secret = os.environ['WEBHOOK_SECRET']

@app.route('/webhook', methods=['POST'])
def webhook():
    payload = request.data
    sig_header = request.headers.get('Stripe-Signature')
    
    try:
        event = stripe.Webhook.construct_event(
            payload, sig_header, endpoint_secret
        )
        # Webhook verified successfully
        return 'OK', 200
    except ValueError:
        return 'Invalid payload', 400
    except stripe.error.SignatureVerificationError:
        return 'Invalid signature', 401

Webhook Secret Best Practices

Use sufficient length: Webhook secrets should be at least 32 characters (256 bits) for strong security against brute-force attacks.
Store securely: Keep webhook secrets in environment variables or secret management systems, never in code or version control.
Verify every webhook: Always verify webhook signatures before processing payloads. Never trust webhook data without verification.
Use constant-time comparison: When comparing signatures, use timing-safe comparison functions to prevent timing attacks.
Implement replay protection: Check timestamps in webhook headers and reject old requests (e.g., Stripe's timestamp verification).
Rotate secrets periodically: Change webhook secrets on a schedule and after any suspected compromise.
Use HTTPS only: Webhook endpoints should always use HTTPS to prevent man-in-the-middle attacks.
Log verification failures: Track failed webhook verifications to detect potential attacks or misconfigurations.

Webhook Secret Generator FAQ

How long should a webhook secret be?

We recommend at least 32 characters (256 bits) for webhook secrets. This provides strong security against brute-force attempts. Our webhook secret generator defaults to secure lengths suitable for production use.

Can I use the same webhook secret for multiple services?

No, you should use different webhook secrets for each service or endpoint. This limits the impact if one secret is compromised and makes it easier to rotate secrets independently.

What happens if my webhook secret is compromised?

If a webhook secret is compromised, attackers could forge webhooks from that service. Immediately generate a new webhook secret, update it in your application and the webhook provider's settings, and investigate any suspicious webhook activity.

Do I need a different secret for each webhook event type?

No, typically one webhook secret per service is sufficient. The same secret can verify all webhook types from that service (e.g., all GitHub events, all Stripe events). However, if you have multiple webhook endpoints for the same service, use different secrets for each endpoint.

Related Secret Generators

HMAC Secret Key Generator

Generate HMAC keys for authentication

API Key Generator

Generate API authentication keys

Secret Key Generator

General purpose secure key generation

Webhook Secret Generator

Generated Key

Webhook Signature Checklist

Timestamp verification

Constant-time compare

Versioned secrets

Resource Hub

All Secret Key Tools

Guides

Compare Algorithms