Stripe webhook signature verification failing — how to fix
Quick answer
Stripe signature verification almost always fails because the webhook handler verifies against a modified request body instead of the raw bytes — a JSON body-parser runs first and changes the payload — or the wrong/rotated signing secret is used, or the endpoint sits behind a proxy that alters the body. Fix it by verifying against the exact raw request body with the correct endpoint secret, and confirm with a Stripe test event.
Symptoms
- Stripe dashboard shows webhook deliveries failing with signature errors
- Paid orders don't get fulfilled or subscriptions don't activate
- It works locally but fails in production (or vice-versa)
- Errors started after a deploy, framework upgrade, or secret rotation
Common causes
- The handler verifies a parsed/re-serialized body instead of the raw bytes
- The wrong endpoint signing secret, or a rotated secret not updated
- A proxy, CDN, or middleware mutates the request body before verification
- Clock skew or an overly strict tolerance rejecting valid timestamps
How to check
- 1.Check the Stripe dashboard → Webhooks for the exact error and failing events
- 2.Confirm the route receives the raw body (no JSON parser runs before verify)
- 3.Verify the endpoint secret in your env matches the one Stripe shows
- 4.Resend a test event from Stripe and watch your logs
How to fix it
1. Verify the raw body
Configure the webhook route to read the raw request bytes and pass them to Stripe's verification — a body-parser that runs first is the number-one cause of signature failures.
2. Fix the signing secret
Confirm the endpoint's signing secret in your environment exactly matches Stripe's, and update it wherever the secret was rotated.
3. Bypass body-altering middleware
Ensure no proxy, CDN, or global middleware rewrites the body before your verifier sees it; scope raw-body handling to the webhook route.
4. Detect failures automatically
Liulum's synthetic and endpoint monitoring can exercise your webhook path and alert you the moment verification starts failing — and on managed stacks help restore the last healthy handler.
How Liulum helps
Liulum watches this path continuously, tells you in plain English the moment it breaks, and on sites it manages can run a safe, allow-listed, reversible repair automatically — so an outage lasts seconds, not hours.
Protect your storeFrequently asked questions
Why does Stripe say my webhook signature is invalid?
The verifier is almost certainly checking a modified body. A JSON parser or framework middleware re-serializes the payload before verification, so the bytes no longer match Stripe's signature. Verify against the exact raw request body with the correct endpoint secret.
What happens to orders when webhook verification fails?
Stripe keeps retrying, but until verification passes your app never processes the event — so paid orders go unfulfilled and subscriptions don't activate, silently, until someone checks the dashboard.
Can Liulum catch a broken payment webhook?
Yes — Liulum can synthetically exercise your payment and webhook path and alert you the instant it stops verifying or fulfilling, and on managed stacks help roll back to the last healthy handler.