Also known as: stripe webhook verification, Stripe-Signature header verification, constructEvent
Definition
Stripe webhook signature verification is the HMAC-SHA256 check that proves a webhook payload came from Stripe and was not modified in transit. The Stripe-Signature header carries a timestamp and signature; the receiver recomputes HMAC over the raw body with the endpoint secret and compares.
When Stripe sends an event to your webhook endpoint, it signs the request with HMAC-SHA256 over {timestamp}.{raw_body} using your endpoint secret. The signature lives in the Stripe-Signature header. Your handler recomputes the same HMAC and rejects the request if signatures don't match.
Read the body as raw text first: const body = await request.text(). Never call request.json() before verification, which consumes the byte stream and produces different bytes when re-serialized. Pass the text body, the Stripe-Signature header, and your endpoint secret to stripe.webhooks.constructEvent, which handles the timestamp check (default 5-minute tolerance), the v1-only scheme check, and the HMAC comparison.
Five patterns account for almost all failures: framework parsed the body before verification, JSON.parse plus stringify changed the bytes, timestamp exceeded the 5-minute tolerance, wrong endpoint secret (test vs live), and accepting the fake v0 test signature scheme in production. Each shows up as the same opaque "No signatures found matching" error.