Stripe Webhook Signature Invalid: Subscription Event Fix
Root cause
The Stripe-Signature header on incoming webhook events does not match the expected HMAC signature computed from your webhook signing secret, indicating either an incorrect signing secret, a request body that was modified before signature verification, or a webhook sent to the wrong endpoint.
Symptoms
- • Your webhook handler throws a signature verification error and rejects Stripe events
- • Subscription state in your database falls out of sync because payment events are not processed
- • Stripe Dashboard shows webhook events as delivered successfully but your endpoint logs show rejection
- • invoice.payment_succeeded events are not updating subscription status in your system
How to fix it
Verify the webhook signing secret matches your endpoint
In Stripe Dashboard, go to Developers > Webhooks and select your webhook endpoint. Click 'Reveal' next to the signing secret. Confirm this value exactly matches the STRIPE_WEBHOOK_SECRET environment variable in your application. Each webhook endpoint has its own unique signing secret — using the secret from one endpoint to verify events from another will always fail.
Open in admin →Verify the raw request body is passed to signature verification
Stripe signature verification requires the raw, unparsed request body — not a JSON.parse result. If your web framework automatically parses request bodies, the parsed body passed to constructEvent() will not match the original signature. Use the raw Buffer from the request: stripe.webhooks.constructEvent(rawBody, sig, secret). In Express, use express.raw({type: 'application/json'}) on the webhook route.
Replay failed webhook events from Stripe Dashboard
After fixing the signature verification issue, replay any events that were rejected during the broken window. In Stripe Dashboard, go to Developers > Webhooks > your endpoint > Failed deliveries. Use the 'Resend' button to replay each failed event. Process them in chronological order to avoid out-of-sequence state updates in your subscription management logic.
Open in admin →Frequently asked questions
Should I skip webhook signature verification in development?
Only in local development where you use Stripe CLI to forward events — the CLI uses a separate test signing secret that is different from your production endpoint's secret. Never skip signature verification in staging or production. Stripe webhooks without signature verification are a security risk: any attacker who knows your endpoint URL can send fake payment success events.
Does a webhook signature failure affect the underlying payment or subscription?
No. The payment and subscription state in Stripe are not affected by whether your endpoint successfully processes the webhook. The webhook is just a notification — if your endpoint fails to process it, the Stripe state remains correct, but your local application state diverges. Fix the signature issue and replay missed events to resync.
Detect this error automatically
Free cross-stack scan finds all billing errors in 60 seconds.
Run Free Scan →