Skip to content
newThe webhook.co MCP server is live — turn any webhook into an agent event. Read the docs
verification

When a signature fails, you'll know why

142 providers, checked at the edge. Every event lands in one of four states — and when a signature doesn't match, we name the likely reason, one of eleven codes, with the fix, instead of a bare match/no-match.

  • github · issues.openedRAW_BODY_MODIFIEDThe body was modified in transit — usually a proxy or framework re-encoding the JSON.
  • shopify · orders.createTIMESTAMP_TOO_OLDThe signature timestamp fell outside the replay window.
  • stripe · invoice.paidWRONG_SECRETThe signature didn't match — the configured secret is likely the wrong one.
Each failure names its cause, with the fix attached.

Verified is not a boolean

An event is verified, authenticated, failed, or unattempted— four states, not two. Roughly 14 of the 142 providers only offer a shared token rather than a real signature, so those land on the weaker authenticated, and we tell you that plainly rather than calling it verified.

Eleven named reasons, each with the fix

Wrong secret. Raw body modified. A proxy mutated the bytes. Timestamp outside the window. No matching key. When verification fails, the edge names the likely cause in plain language — not “no signatures found matching the expected signature.” The one you hit most, RAW_BODY_MODIFIED, usually means a framework re-serialized the body before you verified it; the message says so.

We never re-sign an event we couldn't authenticate

A webhook that fails verification is never delivered onward. One that was never checked is delivered, but never signed. Your app trusts our signature, so our signature has to mean something. Verification and signing both follow Standard Webhooks, for receiving and sending.

the registry

All 142 providers, built in

Each one is a signature scheme we implement and keep working — the header it signs, the bytes it signs over, and the quirks it insists on. The registry is open source, so you can read exactly how any of them is verified before you trust it. Full detail, including each provider’s scheme and signature header, is in the provider directory.

Point a webhook at it. Watch it land.

Start free: a permanent URL, full inspection, one-command replay — and outbound delivery, because every feature is on every plan. Move up when you need more events.