AltorLabFree Scan →
HomeError CodesSTRIPE_WEBHOOK_SIGNATURE_INVALID
stripeshopify

Stripe Webhook Signature Invalid: Subscription Event Fix

Root cause

The Stripe-Signature header on incoming webhook events does not match the expected HMAC signature computed from your webhook signing secret, indicating either an incorrect signing secret, a request body that was modified before signature verification, or a webhook sent to the wrong endpoint.

Symptoms

How to fix it

1

Verify the webhook signing secret matches your endpoint

In Stripe Dashboard, go to Developers > Webhooks and select your webhook endpoint. Click 'Reveal' next to the signing secret. Confirm this value exactly matches the STRIPE_WEBHOOK_SECRET environment variable in your application. Each webhook endpoint has its own unique signing secret — using the secret from one endpoint to verify events from another will always fail.

Open in admin →
2

Verify the raw request body is passed to signature verification

Stripe signature verification requires the raw, unparsed request body — not a JSON.parse result. If your web framework automatically parses request bodies, the parsed body passed to constructEvent() will not match the original signature. Use the raw Buffer from the request: stripe.webhooks.constructEvent(rawBody, sig, secret). In Express, use express.raw({type: 'application/json'}) on the webhook route.

3

Replay failed webhook events from Stripe Dashboard

After fixing the signature verification issue, replay any events that were rejected during the broken window. In Stripe Dashboard, go to Developers > Webhooks > your endpoint > Failed deliveries. Use the 'Resend' button to replay each failed event. Process them in chronological order to avoid out-of-sequence state updates in your subscription management logic.

Open in admin →

Frequently asked questions

Should I skip webhook signature verification in development?

Only in local development where you use Stripe CLI to forward events — the CLI uses a separate test signing secret that is different from your production endpoint's secret. Never skip signature verification in staging or production. Stripe webhooks without signature verification are a security risk: any attacker who knows your endpoint URL can send fake payment success events.

Does a webhook signature failure affect the underlying payment or subscription?

No. The payment and subscription state in Stripe are not affected by whether your endpoint successfully processes the webhook. The webhook is just a notification — if your endpoint fails to process it, the Stripe state remains correct, but your local application state diverges. Fix the signature issue and replay missed events to resync.

Detect this error automatically

Free cross-stack scan finds all billing errors in 60 seconds.

Run Free Scan →