What is a Webhook Signing Secret?

Craft CMS Asked by Britchie on December 15, 2020

I could not find any documentation on the ‘Webhook Signing Secret’ used in Commerce Settings > Gateway > Stripe Gateway. Can someone tell me what this is, what it’s used for and typically what I should be entering as a value? Not sure if this is even required? References or insight most appreciated.

One Answer

Webhooks are like callback events. Basically when something happens on Stripe's side (eg a new customer created, a trial subscription cancelled, etc.) your application can get notified as well and take the appropriate action.

They're less useful when your application controls that entire process but in the case of subscriptions, let's say the customer's card declines after month 2. You definitely want to get notified when that happens and take the appropriate action since Stripe is taking care of those payments.

A webhook signing secret is optional but it's basically a signature for verifying that whatever webhook Stripe is sending is legit. Stripe uses a secret key that Commerce can use to verify that Stripe was the really author of that webhook call which can help prevent things like replay attacks.

It's less useful in the case of smaller applications but if you're building something with Stripe Connect where multiple users can authenticate, get payouts, etc. it becomes essential.

In the case of security, nothing is ever binary. Much like CSRF protection, you want layers of an onion and signing secrets provide another layer of protection.

Answered by RitterKnight on December 15, 2020

Add your own answers!

Related Questions

Add custom fields to variant snapshot

2  Asked on June 22, 2021 by will-law


Getting Information from POST data

2  Asked on June 22, 2021 by justintheedude


Editing a freeform submission entry

1  Asked on June 18, 2021 by schnitzels


Import CSV with FeedMe – multiple categories

1  Asked on June 13, 2021 by user2945489


Password Update form accepting any data for currentPassword

1  Asked on June 13, 2021 by josh-parylak


no entries or files visible

1  Asked on June 13, 2021


Ask a Question

Get help from others!

© 2023 All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP