Skip to content
GlossaryConceptUpdated May 2026

Webhook Signature

noun · also: webhook, secret, jwt

What is webhook signature?

A webhook signature is a cryptographic proof, included in webhook headers, that the payload truly came from the expected sender.

Definition

Full definition of webhook signature

Without signatures, anyone who knows your webhook URL could send fake events. Modern APIs (Stripe, GitHub, Shopify) sign every webhook with HMAC-SHA256 using a shared secret. The receiver recomputes the signature and compares; mismatches mean spoofed requests. Tiny Command validates signatures for every supported integration automatically.

In practice

Webhook Signature examples

Stripe signature header
Stripe-Signature: t=1234567890,v1=5257a869...
Used by

Apps that exemplify webhook signature

See webhook signature in action across real integrations.

Stripe
Payments
GitHub
Developer Tools
Shopify
E-commerce
Slack
Communication
FAQ

Common questions about webhook signature

What if I don't validate signatures?
Attackers can send fake events. Critical for financial or destructive operations. Always validate in production.
Where do I get the secret?
From the sending app's webhook configuration page. Treat it like a password — never check into Git.

Be the first to know what's next.

Submit your email to get early access updates, new feature announcements, and the latest in automation from TinyCommand.
Subscribe
About usPrivacy policySubmit RequestTerms of usePricingMake a referralContact usBecome a partnerCancellation & refundBlogs
© TinyCommand LLC 2026
XLinkedInInstagramYouTubeFacebook