What is a Webhook Signing Secret?

Craft CMS Asked by Britchie on December 15, 2020

I could not find any documentation on the ‘Webhook Signing Secret’ used in Commerce Settings > Gateway > Stripe Gateway. Can someone tell me what this is, what it’s used for and typically what I should be entering as a value? Not sure if this is even required? References or insight most appreciated.

One Answer

Webhooks are like callback events. Basically when something happens on Stripe's side (eg a new customer created, a trial subscription cancelled, etc.) your application can get notified as well and take the appropriate action.

They're less useful when your application controls that entire process but in the case of subscriptions, let's say the customer's card declines after month 2. You definitely want to get notified when that happens and take the appropriate action since Stripe is taking care of those payments.

A webhook signing secret is optional but it's basically a signature for verifying that whatever webhook Stripe is sending is legit. Stripe uses a secret key that Commerce can use to verify that Stripe was the really author of that webhook call which can help prevent things like replay attacks.

It's less useful in the case of smaller applications but if you're building something with Stripe Connect where multiple users can authenticate, get payouts, etc. it becomes essential.

In the case of security, nothing is ever binary. Much like CSRF protection, you want layers of an onion and signing secrets provide another layer of protection.

Answered by RitterKnight on December 15, 2020

Add your own answers!

Related Questions

Can’t install Transcoder plugin

1  Asked on December 18, 2020 by tyssen


htpasswd exception for controller

0  Asked on December 18, 2020 by mark-j-reeves


Custom shipping methods in Commerce 2

0  Asked on December 17, 2020 by jos-verssimo


What is a Webhook Signing Secret?

1  Asked on December 15, 2020 by britchie


What is the best way to track, record or view search terms?

4  Asked on December 15, 2020 by adam-mccombs


Feedme Pagination by Token

2  Asked on December 11, 2020 by jmkelley


Explanation of Deprecation Warnings

1  Asked on December 8, 2020 by p-colin-manikoth


Profiling Summary Report in the console

1  Asked on December 7, 2020 by amad


GraphQL query order entries by Lightswitch and DateTime field

0  Asked on December 6, 2020 by oleksandr-staniev


Ask a Question

Get help from others!

© 2022 All rights reserved. Sites we Love: PCI Database, MenuIva, UKBizDB, Menu Kuliner, Sharing RPP