Stripe -> Verify Signature
Readonly
Stripe → Verify Signature

Action summary

Stripe -> Verify Signature

Xano / Stripe

Stripe → Verify Signature

Overview

This Xano action verifies the signature of incoming Stripe webhook events to ensure their authenticity. It uses your Stripe webhook secret and the HTTP headers to compute and compare the HMAC SHA-256 signature, confirming that the event was sent by Stripe.

Inputs

Name Type Required Description
stripe_webhook_secret text Yes Your Stripe webhook secret (from settings registry).
http_headers json Yes The HTTP headers from the incoming webhook request.

Function Stack

1. Setting up Variables

  • Get All Raw Input: Retrieves the raw input from the webhook request.
  • Create Variable (stripe_signature): Extracts the Stripe signature from the http_headers.
  • Create Variable (stripe_body): Extracts the raw request body.
  • Create Variable (t): Parses the timestamp from the Stripe signature.
  • Create Variable (v1): Parses the signature value from the Stripe signature.

2. Precondition

  • Checks that both the timestamp (t) and signature (v1) are present and not null.

3. Creating the Payload

  • Create Variable (signed_payload): Concatenates the timestamp and raw body as required by Stripe's signature verification process.
  • Create Variable (hmac_sha256_signature): Computes the HMAC SHA-256 hash of the signed payload using your Stripe webhook secret.

4. Result

  • Create Variable (result): Compares the computed signature to the one provided by Stripe and returns true if they match (valid), or false if not (invalid).

Example Usage

Request

{
  "stripe_webhook_secret": "whsec_...",
  "http_headers": {
    "stripe-signature": "t=1625247600,v1=abcdef1234567890..."
    // ... other headers
  }
}

Response

{
  "result": true
}

Notes

  • Always use your actual Stripe webhook secret from the Stripe dashboard.
  • Ensure the full, unmodified raw request body is used for signature verification.
  • This action is essential for protecting your application from forged Stripe webhooks.

Troubleshooting

  • result: false: The signature did not match. Check that you are using the correct webhook secret and that the raw body is not altered.
  • Missing t or v1: The Stripe signature header is malformed or missing. Ensure your endpoint is receiving the correct headers.
  • Other Errors: Refer to Stripe's webhook security documentation for more details on signature verification.

References

Version notes

2025-06-02 11:37:21
Current
2025-06-02T16:37:31.000+00:00

Functionality updates