DEV Community: Prateek Jain The latest articles on DEV Community by Prateek Jain (@prateek32177). https://dev.to/prateek32177 https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F526098%2Ff256d475-97fa-4c96-9793-e0cc11d6ae46.png DEV Community: Prateek Jain https://dev.to/prateek32177 en Why Shopify Webhook HMAC Verification Keeps Failing Prateek Jain Fri, 06 Mar 2026 15:58:26 +0000 https://dev.to/prateek32177/why-shopify-webhook-hmac-verification-keeps-failing-33ch https://dev.to/prateek32177/why-shopify-webhook-hmac-verification-keeps-failing-33ch <p>You set up the webhook. Got the secret. Wrote the HMAC check. Still getting:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>HMAC VALIDATION FAILED </code></pre> </div> <p>Or worse — it passes locally but fails Shopify's automated review. Here's every real reason it happens.</p> <blockquote> <p>if you just want all of this handled without thinking about it — <a href="https://github.com/Hookflo/tern" rel="noopener noreferrer">Tern</a> fixes every issue below out of the box. keep reading to understand why.</p> </blockquote> <h2> 1. You're using the wrong secret </h2> <p>This is the most common one and it's not obvious from the docs.</p> <p>Shopify doesn't give you a dedicated webhook secret like Stripe does. You use your <strong>app's client secret</strong> — the API secret key from your Partner Dashboard. Not the API key. Not the access token. The client secret.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># ❌ wrong — this is the API key</span> <span class="nv">SHOPIFY_API_KEY</span><span class="o">=</span>abc123... <span class="c"># ✅ correct — this is what signs webhooks</span> <span class="nv">SHOPIFY_API_SECRET</span><span class="o">=</span>shpss_xyz789... </code></pre> </div> <p>If you're passing the wrong value here every HMAC will fail silently.</p> <h2> 2. The signature is base64 — not hex </h2> <p>Shopify's <code>X-Shopify-Hmac-SHA256</code> header is <strong>base64 encoded</strong>, not hex like Stripe.</p> <p>Most HMAC examples online use <code>.digest('hex')</code>. That gives you the wrong output for Shopify.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// ❌ wrong encoding — hex output won't match</span> <span class="kd">const</span> <span class="nx">signature</span> <span class="o">=</span> <span class="nx">crypto</span> <span class="p">.</span><span class="nf">createHmac</span><span class="p">(</span><span class="dl">'</span><span class="s1">sha256</span><span class="dl">'</span><span class="p">,</span> <span class="nx">secret</span><span class="p">)</span> <span class="p">.</span><span class="nf">update</span><span class="p">(</span><span class="nx">rawBody</span><span class="p">)</span> <span class="p">.</span><span class="nf">digest</span><span class="p">(</span><span class="dl">'</span><span class="s1">hex</span><span class="dl">'</span><span class="p">)</span> <span class="c1">// ✅ correct — base64 to match Shopify's header</span> <span class="kd">const</span> <span class="nx">signature</span> <span class="o">=</span> <span class="nx">crypto</span> <span class="p">.</span><span class="nf">createHmac</span><span class="p">(</span><span class="dl">'</span><span class="s1">sha256</span><span class="dl">'</span><span class="p">,</span> <span class="nx">secret</span><span class="p">)</span> <span class="p">.</span><span class="nf">update</span><span class="p">(</span><span class="nx">rawBody</span><span class="p">)</span> <span class="p">.</span><span class="nf">digest</span><span class="p">(</span><span class="dl">'</span><span class="s1">base64</span><span class="dl">'</span><span class="p">)</span> </code></pre> </div> <p>One word difference. Hours of debugging.</p> <h2> 3. Raw body getting parsed before verification </h2> <p>Same problem as Stripe but Shopify's error message gives you even less to go on.</p> <p>Your framework parses the body into a JavaScript object before your handler runs. You re-stringify it. The whitespace changes. The signature doesn't match.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// ❌ body is already a parsed object here</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="nx">express</span><span class="p">.</span><span class="nf">json</span><span class="p">())</span> <span class="nx">app</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span><span class="dl">'</span><span class="s1">/webhook</span><span class="dl">'</span><span class="p">,</span> <span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">body</span> <span class="o">=</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">(</span><span class="nx">req</span><span class="p">.</span><span class="nx">body</span><span class="p">)</span> <span class="c1">// not the original bytes</span> <span class="c1">// verification fails</span> <span class="p">})</span> </code></pre> </div> <p>Fix — raw body parser specifically for the webhook route:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// ✅raw bytes preserved</span> <span class="nx">app</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span><span class="dl">'</span><span class="s1">/webhook</span><span class="dl">'</span><span class="p">,</span> <span class="nx">express</span><span class="p">.</span><span class="nf">raw</span><span class="p">({</span> <span class="na">type</span><span class="p">:</span> <span class="dl">'</span><span class="s1">application/json</span><span class="dl">'</span> <span class="p">}),</span> <span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">hmac</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">headers</span><span class="p">[</span><span class="dl">'</span><span class="s1">x-shopify-hmac-sha256</span><span class="dl">'</span><span class="p">]</span> <span class="kd">const</span> <span class="nx">signature</span> <span class="o">=</span> <span class="nx">crypto</span> <span class="p">.</span><span class="nf">createHmac</span><span class="p">(</span><span class="dl">'</span><span class="s1">sha256</span><span class="dl">'</span><span class="p">,</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">SHOPIFY_API_SECRET</span><span class="p">)</span> <span class="p">.</span><span class="nf">update</span><span class="p">(</span><span class="nx">req</span><span class="p">.</span><span class="nx">body</span><span class="p">)</span> <span class="c1">// Buffer, not parsed object</span> <span class="p">.</span><span class="nf">digest</span><span class="p">(</span><span class="dl">'</span><span class="s1">base64</span><span class="dl">'</span><span class="p">)</span> <span class="k">if </span><span class="p">(</span><span class="nx">signature</span> <span class="o">!==</span> <span class="nx">hmac</span><span class="p">)</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">401</span><span class="p">).</span><span class="nf">send</span><span class="p">(</span><span class="dl">'</span><span class="s1">Unauthorized</span><span class="dl">'</span><span class="p">)</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">200</span><span class="p">).</span><span class="nf">send</span><span class="p">(</span><span class="dl">'</span><span class="s1">OK</span><span class="dl">'</span><span class="p">)</span> <span class="p">}</span> <span class="p">)</span> </code></pre> </div> <h2> 4. Shopify's automated review check failing </h2> <p>You test manually, everything works. You submit for app review, the HMAC check fails.</p> <p>This happens because Shopify's automated checker sends GDPR compliance webhooks — not regular order or product events. If your handler only handles specific topics and ignores GDPR webhooks, the check fails.</p> <p>Make sure your handler responds correctly to:</p> <ul> <li><code>customers/data_request</code></li> <li><code>customers/redact</code></li> <li><code>shop/redact</code></li> </ul> <p>These are mandatory. If they return anything other than 200, the HMAC check is marked as failed even if your signature logic is correct.</p> <h2> 5. Body consumed before your route runs </h2> <p>In Remix and some other frameworks, the authentication middleware reads the request body first. By the time your webhook handler runs, the stream is already consumed.</p> <p>Fix — clone the request before anything touches it:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">reqClone</span> <span class="o">=</span> <span class="nx">request</span><span class="p">.</span><span class="nf">clone</span><span class="p">()</span> <span class="kd">const</span> <span class="nx">rawPayload</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">reqClone</span><span class="p">.</span><span class="nf">text</span><span class="p">()</span> <span class="c1">// use rawPayload for HMAC verification</span> </code></pre> </div> <h2> The pattern underneath all of this </h2> <p>Shopify webhook failures almost always come down to wrong secret, wrong encoding, or body consumed before verification. The HMAC logic itself is not complicated. The plumbing around it is where everything breaks.</p> <h2> How Tern handles all of this </h2> <p>We kept hitting these same issues — wrong encoding assumptions, raw body bugs, framework quirks. So we built <a href="https://github.com/Hookflo/tern" rel="noopener noreferrer">Tern</a> to absorb all of it.</p> <p><strong>Signature verification — handled correctly</strong></p> <p>Base64 encoding, raw body extraction, correct header — all handled internally. You get a specific <code>errorCode</code> when something fails instead of a silent 400.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">createWebhookHandler</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@hookflo/tern/nextjs</span><span class="dl">'</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">POST</span> <span class="o">=</span> <span class="nf">createWebhookHandler</span><span class="p">({</span> <span class="na">platform</span><span class="p">:</span> <span class="dl">'</span><span class="s1">shopify</span><span class="dl">'</span><span class="p">,</span> <span class="na">secret</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">SHOPIFY_API_SECRET</span><span class="o">!</span><span class="p">,</span> <span class="na">handler</span><span class="p">:</span> <span class="k">async </span><span class="p">(</span><span class="nx">payload</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="c1">// verified — base64, raw body, all handled</span> <span class="p">}</span> <span class="p">})</span> </code></pre> </div> <p>Same on Express, Cloudflare Workers and Hono. No raw body setup, no encoding decisions.</p> <p><strong>After verification — events still fail silently</strong></p> <p>Shopify retries failed webhooks but you have no visibility into what failed, why, or when. Merchants find out before you do.</p> <p>Tern's optional reliability layer closes that gap — queue, retries, deduplication, dead letter queue and replay:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">export</span> <span class="kd">const</span> <span class="nx">POST</span> <span class="o">=</span> <span class="nf">createWebhookHandler</span><span class="p">({</span> <span class="na">platform</span><span class="p">:</span> <span class="dl">'</span><span class="s1">shopify</span><span class="dl">'</span><span class="p">,</span> <span class="na">secret</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">SHOPIFY_API_SECRET</span><span class="o">!</span><span class="p">,</span> <span class="na">queue</span><span class="p">:</span> <span class="p">{</span> <span class="na">token</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">QSTASH_TOKEN</span><span class="o">!</span><span class="p">,</span> <span class="na">retries</span><span class="p">:</span> <span class="mi">3</span><span class="p">,</span> <span class="p">},</span> <span class="na">alerts</span><span class="p">:</span> <span class="p">{</span> <span class="na">slack</span><span class="p">:</span> <span class="p">{</span> <span class="na">webhookUrl</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">SLACK_WEBHOOK_URL</span><span class="o">!</span> <span class="p">},</span> <span class="p">},</span> <span class="na">handler</span><span class="p">:</span> <span class="k">async </span><span class="p">(</span><span class="nx">payload</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="c1">// queued, retried, alerted on failure</span> <span class="p">}</span> <span class="p">})</span> </code></pre> </div> <p>Know when something fails before your merchants do.</p> <p>verify → queue → retry → dedup → DLQ → replay → alert. the full inbound webhook loop, closed.</p> <p>⭐ if this helped, a star means a lot — <a href="https://github.com/Hookflo/tern" rel="noopener noreferrer">Tern</a><br> Docs: tern.hookflo.com<br> <a href="https://github.com/Hookflo/tern" rel="noopener noreferrer">github.com/Hookflo/tern</a> — open source, MIT licensed, zero lock-in.</p> shopify webhooks typescript tutorial Why Shopify Webhook HMAC Verification Keeps Failing Prateek Jain Fri, 06 Mar 2026 15:58:25 +0000 https://dev.to/prateek32177/why-shopify-webhook-hmac-verification-keeps-failing-4i80 https://dev.to/prateek32177/why-shopify-webhook-hmac-verification-keeps-failing-4i80 <p>You set up the webhook. Got the secret. Wrote the HMAC check. Still getting:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>HMAC VALIDATION FAILED </code></pre> </div> <p>Or worse — it passes locally but fails Shopify's automated review. Here's every real reason it happens.</p> <blockquote> <p>if you just want all of this handled without thinking about it — <a href="https://github.com/Hookflo/tern" rel="noopener noreferrer">Tern</a> fixes every issue below out of the box. keep reading to understand why.</p> </blockquote> <h2> 1. You're using the wrong secret </h2> <p>This is the most common one and it's not obvious from the docs.</p> <p>Shopify doesn't give you a dedicated webhook secret like Stripe does. You use your <strong>app's client secret</strong> — the API secret key from your Partner Dashboard. Not the API key. Not the access token. The client secret.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># ❌ wrong — this is the API key</span> <span class="nv">SHOPIFY_API_KEY</span><span class="o">=</span>abc123... <span class="c"># ✅ correct — this is what signs webhooks</span> <span class="nv">SHOPIFY_API_SECRET</span><span class="o">=</span>shpss_xyz789... </code></pre> </div> <p>If you're passing the wrong value here every HMAC will fail silently.</p> <h2> 2. The signature is base64 — not hex </h2> <p>Shopify's <code>X-Shopify-Hmac-SHA256</code> header is <strong>base64 encoded</strong>, not hex like Stripe.</p> <p>Most HMAC examples online use <code>.digest('hex')</code>. That gives you the wrong output for Shopify.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// ❌ wrong encoding — hex output won't match</span> <span class="kd">const</span> <span class="nx">signature</span> <span class="o">=</span> <span class="nx">crypto</span> <span class="p">.</span><span class="nf">createHmac</span><span class="p">(</span><span class="dl">'</span><span class="s1">sha256</span><span class="dl">'</span><span class="p">,</span> <span class="nx">secret</span><span class="p">)</span> <span class="p">.</span><span class="nf">update</span><span class="p">(</span><span class="nx">rawBody</span><span class="p">)</span> <span class="p">.</span><span class="nf">digest</span><span class="p">(</span><span class="dl">'</span><span class="s1">hex</span><span class="dl">'</span><span class="p">)</span> <span class="c1">// ✅ correct — base64 to match Shopify's header</span> <span class="kd">const</span> <span class="nx">signature</span> <span class="o">=</span> <span class="nx">crypto</span> <span class="p">.</span><span class="nf">createHmac</span><span class="p">(</span><span class="dl">'</span><span class="s1">sha256</span><span class="dl">'</span><span class="p">,</span> <span class="nx">secret</span><span class="p">)</span> <span class="p">.</span><span class="nf">update</span><span class="p">(</span><span class="nx">rawBody</span><span class="p">)</span> <span class="p">.</span><span class="nf">digest</span><span class="p">(</span><span class="dl">'</span><span class="s1">base64</span><span class="dl">'</span><span class="p">)</span> </code></pre> </div> <p>One word difference. Hours of debugging.</p> <h2> 3. Raw body getting parsed before verification </h2> <p>Same problem as Stripe but Shopify's error message gives you even less to go on.</p> <p>Your framework parses the body into a JavaScript object before your handler runs. You re-stringify it. The whitespace changes. The signature doesn't match.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// ❌ body is already a parsed object here</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="nx">express</span><span class="p">.</span><span class="nf">json</span><span class="p">())</span> <span class="nx">app</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span><span class="dl">'</span><span class="s1">/webhook</span><span class="dl">'</span><span class="p">,</span> <span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">body</span> <span class="o">=</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">(</span><span class="nx">req</span><span class="p">.</span><span class="nx">body</span><span class="p">)</span> <span class="c1">// not the original bytes</span> <span class="c1">// verification fails</span> <span class="p">})</span> </code></pre> </div> <p>Fix — raw body parser specifically for the webhook route:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// ✅raw bytes preserved</span> <span class="nx">app</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span><span class="dl">'</span><span class="s1">/webhook</span><span class="dl">'</span><span class="p">,</span> <span class="nx">express</span><span class="p">.</span><span class="nf">raw</span><span class="p">({</span> <span class="na">type</span><span class="p">:</span> <span class="dl">'</span><span class="s1">application/json</span><span class="dl">'</span> <span class="p">}),</span> <span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">hmac</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">headers</span><span class="p">[</span><span class="dl">'</span><span class="s1">x-shopify-hmac-sha256</span><span class="dl">'</span><span class="p">]</span> <span class="kd">const</span> <span class="nx">signature</span> <span class="o">=</span> <span class="nx">crypto</span> <span class="p">.</span><span class="nf">createHmac</span><span class="p">(</span><span class="dl">'</span><span class="s1">sha256</span><span class="dl">'</span><span class="p">,</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">SHOPIFY_API_SECRET</span><span class="p">)</span> <span class="p">.</span><span class="nf">update</span><span class="p">(</span><span class="nx">req</span><span class="p">.</span><span class="nx">body</span><span class="p">)</span> <span class="c1">// Buffer, not parsed object</span> <span class="p">.</span><span class="nf">digest</span><span class="p">(</span><span class="dl">'</span><span class="s1">base64</span><span class="dl">'</span><span class="p">)</span> <span class="k">if </span><span class="p">(</span><span class="nx">signature</span> <span class="o">!==</span> <span class="nx">hmac</span><span class="p">)</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">401</span><span class="p">).</span><span class="nf">send</span><span class="p">(</span><span class="dl">'</span><span class="s1">Unauthorized</span><span class="dl">'</span><span class="p">)</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">200</span><span class="p">).</span><span class="nf">send</span><span class="p">(</span><span class="dl">'</span><span class="s1">OK</span><span class="dl">'</span><span class="p">)</span> <span class="p">}</span> <span class="p">)</span> </code></pre> </div> <h2> 4. Shopify's automated review check failing </h2> <p>You test manually, everything works. You submit for app review, the HMAC check fails.</p> <p>This happens because Shopify's automated checker sends GDPR compliance webhooks — not regular order or product events. If your handler only handles specific topics and ignores GDPR webhooks, the check fails.</p> <p>Make sure your handler responds correctly to:</p> <ul> <li><code>customers/data_request</code></li> <li><code>customers/redact</code></li> <li><code>shop/redact</code></li> </ul> <p>These are mandatory. If they return anything other than 200, the HMAC check is marked as failed even if your signature logic is correct.</p> <h2> 5. Body consumed before your route runs </h2> <p>In Remix and some other frameworks, the authentication middleware reads the request body first. By the time your webhook handler runs, the stream is already consumed.</p> <p>Fix — clone the request before anything touches it:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">reqClone</span> <span class="o">=</span> <span class="nx">request</span><span class="p">.</span><span class="nf">clone</span><span class="p">()</span> <span class="kd">const</span> <span class="nx">rawPayload</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">reqClone</span><span class="p">.</span><span class="nf">text</span><span class="p">()</span> <span class="c1">// use rawPayload for HMAC verification</span> </code></pre> </div> <h2> The pattern underneath all of this </h2> <p>Shopify webhook failures almost always come down to wrong secret, wrong encoding, or body consumed before verification. The HMAC logic itself is not complicated. The plumbing around it is where everything breaks.</p> <h2> How Tern handles all of this </h2> <p>We kept hitting these same issues — wrong encoding assumptions, raw body bugs, framework quirks. So we built <a href="https://github.com/Hookflo/tern" rel="noopener noreferrer">Tern</a> to absorb all of it.</p> <p><strong>Signature verification — handled correctly</strong></p> <p>Base64 encoding, raw body extraction, correct header — all handled internally. You get a specific <code>errorCode</code> when something fails instead of a silent 400.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">createWebhookHandler</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@hookflo/tern/nextjs</span><span class="dl">'</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">POST</span> <span class="o">=</span> <span class="nf">createWebhookHandler</span><span class="p">({</span> <span class="na">platform</span><span class="p">:</span> <span class="dl">'</span><span class="s1">shopify</span><span class="dl">'</span><span class="p">,</span> <span class="na">secret</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">SHOPIFY_API_SECRET</span><span class="o">!</span><span class="p">,</span> <span class="na">handler</span><span class="p">:</span> <span class="k">async </span><span class="p">(</span><span class="nx">payload</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="c1">// verified — base64, raw body, all handled</span> <span class="p">}</span> <span class="p">})</span> </code></pre> </div> <p>Same on Express, Cloudflare Workers and Hono. No raw body setup, no encoding decisions.</p> <p><strong>After verification — events still fail silently</strong></p> <p>Shopify retries failed webhooks but you have no visibility into what failed, why, or when. Merchants find out before you do.</p> <p>Tern's optional reliability layer closes that gap — queue, retries, deduplication, dead letter queue and replay:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">export</span> <span class="kd">const</span> <span class="nx">POST</span> <span class="o">=</span> <span class="nf">createWebhookHandler</span><span class="p">({</span> <span class="na">platform</span><span class="p">:</span> <span class="dl">'</span><span class="s1">shopify</span><span class="dl">'</span><span class="p">,</span> <span class="na">secret</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">SHOPIFY_API_SECRET</span><span class="o">!</span><span class="p">,</span> <span class="na">queue</span><span class="p">:</span> <span class="p">{</span> <span class="na">token</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">QSTASH_TOKEN</span><span class="o">!</span><span class="p">,</span> <span class="na">retries</span><span class="p">:</span> <span class="mi">3</span><span class="p">,</span> <span class="p">},</span> <span class="na">alerts</span><span class="p">:</span> <span class="p">{</span> <span class="na">slack</span><span class="p">:</span> <span class="p">{</span> <span class="na">webhookUrl</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">SLACK_WEBHOOK_URL</span><span class="o">!</span> <span class="p">},</span> <span class="p">},</span> <span class="na">handler</span><span class="p">:</span> <span class="k">async </span><span class="p">(</span><span class="nx">payload</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="c1">// queued, retried, alerted on failure</span> <span class="p">}</span> <span class="p">})</span> </code></pre> </div> <p>Know when something fails before your merchants do.</p> <p>verify → queue → retry → dedup → DLQ → replay → alert. the full inbound webhook loop, closed.</p> <p>⭐ if this helped, a star means a lot — <a href="https://github.com/Hookflo/tern" rel="noopener noreferrer">Tern</a><br> Docs: tern.hookflo.com<br> <a href="https://github.com/Hookflo/tern" rel="noopener noreferrer">github.com/Hookflo/tern</a> — open source, MIT licensed, zero lock-in.</p> shopify webhooks typescript tutorial Why Stripe Webhook Signature Verification Keeps Failing Prateek Jain Thu, 05 Mar 2026 18:39:02 +0000 https://dev.to/prateek32177/why-stripe-webhook-signature-verification-keeps-failing-41mg https://dev.to/prateek32177/why-stripe-webhook-signature-verification-keeps-failing-41mg <p>You followed the docs. Copied the example. Added the signature check. Still getting:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>No signatures found matching the expected signature for payload </code></pre> </div> <p>Here's every real reason it happens and how to fix each one.</p> <blockquote> <p>if you just want all of this handled without thinking about it <a href="https://github.com/Hookflo/tern" rel="noopener noreferrer">Tern</a> fixes every issue below out of the box. keep reading to understand why.</p> </blockquote> <h2> 1. Your body is already parsed </h2> <p>This gets almost everyone the first time.</p> <p>Stripe needs the <strong>raw bytes</strong> of the request body — exactly what it sent, untouched. If anything touches the body before your handler runs, the signature won't match.</p> <p>In Express the problem is usually this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// ❌ express.json() runs first — raw bytes are gone</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="nx">express</span><span class="p">.</span><span class="nf">json</span><span class="p">())</span> <span class="nx">app</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span><span class="dl">'</span><span class="s1">/webhook</span><span class="dl">'</span><span class="p">,</span> <span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">stripe</span><span class="p">.</span><span class="nx">webhooks</span><span class="p">.</span><span class="nf">constructEvent</span><span class="p">(</span><span class="nx">req</span><span class="p">.</span><span class="nx">body</span><span class="p">,</span> <span class="nx">sig</span><span class="p">,</span> <span class="nx">secret</span><span class="p">)</span> <span class="c1">// fails</span> <span class="p">})</span> </code></pre> </div> <p>Fix — give the webhook route its own raw body parser, separate from everything else:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// ✅ raw body only for this route</span> <span class="nx">app</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span><span class="dl">'</span><span class="s1">/webhook</span><span class="dl">'</span><span class="p">,</span> <span class="nx">express</span><span class="p">.</span><span class="nf">raw</span><span class="p">({</span> <span class="na">type</span><span class="p">:</span> <span class="dl">'</span><span class="s1">*/*</span><span class="dl">'</span> <span class="p">}),</span> <span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">stripe</span><span class="p">.</span><span class="nx">webhooks</span><span class="p">.</span><span class="nf">constructEvent</span><span class="p">(</span><span class="nx">req</span><span class="p">.</span><span class="nx">body</span><span class="p">,</span> <span class="nx">sig</span><span class="p">,</span> <span class="nx">secret</span><span class="p">)</span> <span class="c1">// works</span> <span class="p">}</span> <span class="p">)</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="nx">express</span><span class="p">.</span><span class="nf">json</span><span class="p">())</span> <span class="c1">// other routes unaffected</span> </code></pre> </div> <p>Middleware order matters. Webhook route gets raw body — everything else gets parsed JSON.</p> <h2> 2. Test secret vs Live secret </h2> <p>Stripe gives you a different signing secret for test mode and live mode.</p> <p>The Stripe CLI gives you one secret when you run <code>stripe listen</code>. Your Dashboard endpoint has a completely different one. Mixing them always fails silently.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># CLI secret only works with stripe listen</span> whsec_abc123... <span class="c"># Dashboard secret — only works with real Stripe events </span> whsec_xyz789... </code></pre> </div> <p>Keep them separate and explicit:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">STRIPE_WEBHOOK_SECRET_TEST</span><span class="o">=</span>whsec_cli_secret <span class="nv">STRIPE_WEBHOOK_SECRET_LIVE</span><span class="o">=</span>whsec_dashboard_secret </code></pre> </div> <h2> 3. Timestamp tolerance — the debugging trap </h2> <p>Stripe embeds a timestamp in the signature. By default anything older than <strong>5 minutes</strong> gets rejected. Replay attack protection.</p> <p>When you replay an old event from the Dashboard, the timestamp is from when Stripe originally sent it — not now. If that was more than 5 minutes ago, verification fails even with the correct secret and correct body.</p> <p>Temporarily extend tolerance while debugging:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// debugging only — never in production</span> <span class="nx">stripe</span><span class="p">.</span><span class="nx">webhooks</span><span class="p">.</span><span class="nf">constructEvent</span><span class="p">(</span><span class="nx">payload</span><span class="p">,</span> <span class="nx">sig</span><span class="p">,</span> <span class="nx">secret</span><span class="p">,</span> <span class="mi">99999</span><span class="p">)</span> </code></pre> </div> <p>Better — use <code>stripe trigger</code> locally instead of replaying old events. Fresh timestamps every time.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>stripe listen <span class="nt">--forward-to</span> localhost:3000/webhook stripe trigger payment_intent.succeeded </code></pre> </div> <h2> 4. A proxy is sitting in front of your server </h2> <p>Cloudflare, nginx, or any reverse proxy can modify request bytes before they reach your handler. Compression, encoding rules, security filters — any of these can break signature verification.</p> <p>Symptom works locally, fails in production with the correct secret.</p> <p>Quick check — bypass the proxy and hit your server directly. If verification passes, the proxy is the culprit. For Cloudflare, whitelist Stripe's IP ranges to pass through without transformation.</p> <h2> The pattern underneath all of this </h2> <p>Every one of these failures has the same root cause — something between Stripe and your verification code modified or lost the original request.</p> <p>The verification logic itself is not complicated. The problem is always the plumbing around it.</p> <h2> How Tern fixes all of this </h2> <p>We kept hitting every one of these issues while building our own product <a href="https://hookflo.com" rel="noopener noreferrer">Hookflo</a> — raw body bugs, wrong secrets, localhost pain, silent failures in production. So we pulled the whole thing out into <a href="https://github.com/Hookflo/tern" rel="noopener noreferrer">Tern</a>, an open source SDK that absorbs all of it.</p> <p><strong>Signature verification — just works</strong></p> <p>Raw body extraction, timestamp validation, correct header parsing — handled internally for every framework. No middleware ordering to think about. If verification fails you get a specific <code>errorCode</code> like <code>INVALID_SIGNATURE</code>, <code>TIMESTAMP_TOO_OLD</code>, or <code>MISSING_HEADER</code> instead of the generic Stripe error.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">createWebhookHandler</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@hookflo/tern/nextjs</span><span class="dl">'</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">POST</span> <span class="o">=</span> <span class="nf">createWebhookHandler</span><span class="p">({</span> <span class="na">platform</span><span class="p">:</span> <span class="dl">'</span><span class="s1">stripe</span><span class="dl">'</span><span class="p">,</span> <span class="na">secret</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">STRIPE_WEBHOOK_SECRET</span><span class="o">!</span><span class="p">,</span> <span class="na">handler</span><span class="p">:</span> <span class="k">async </span><span class="p">(</span><span class="nx">payload</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="c1">// verified — raw body handled, timestamp checked</span> <span class="p">}</span> <span class="p">})</span> </code></pre> </div> <p>Works the same on Nextjs, Express, Cloudflare Workers and Hono. Same code, native adapter for each runtime.</p> <p><strong>No localhost tunneling headaches</strong></p> <p>Tern works with Stripe CLI out of the box. No ngrok, no extra setup:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>stripe listen <span class="nt">--forward-to</span> localhost:3000/webhook stripe trigger payment_intent.succeeded </code></pre> </div> <p><strong>After verification — the full loop</strong></p> <p>Once the signature passes, what happens next? Events fail silently. Customers email saying they missed 200 order updates. No visibility, no retries.</p> <p>Tern has an optional reliability layer for exactly this — queue, retries, deduplication, dead letter queue and replay. Opt-in, bring your own Upstash account:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">export</span> <span class="kd">const</span> <span class="nx">POST</span> <span class="o">=</span> <span class="nf">createWebhookHandler</span><span class="p">({</span> <span class="na">platform</span><span class="p">:</span> <span class="dl">'</span><span class="s1">stripe</span><span class="dl">'</span><span class="p">,</span> <span class="na">secret</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">STRIPE_WEBHOOK_SECRET</span><span class="o">!</span><span class="p">,</span> <span class="na">queue</span><span class="p">:</span> <span class="p">{</span> <span class="na">token</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">QSTASH_TOKEN</span><span class="o">!</span><span class="p">,</span> <span class="na">retries</span><span class="p">:</span> <span class="mi">3</span><span class="p">,</span> <span class="p">},</span> <span class="na">handler</span><span class="p">:</span> <span class="k">async </span><span class="p">(</span><span class="nx">payload</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="c1">// queued, retried on failure, deduplicated</span> <span class="p">}</span> <span class="p">})</span> </code></pre> </div> <p><strong>Know before your users do</strong></p> <p>Slack and Discord alerts when events fail or land in the dead letter queue. Optional, one config line:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="nx">alerts</span><span class="p">:</span> <span class="p">{</span> <span class="nl">slack</span><span class="p">:</span> <span class="p">{</span> <span class="na">webhookUrl</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">SLACK_WEBHOOK_URL</span><span class="o">!</span> <span class="p">},</span> <span class="p">}</span> </code></pre> </div> <p>verify → queue → retry → dedup → DLQ → replay → alert. the whole inbound webhook loop, closed.</p> <p><a href="https://tern.hookflo.com" rel="noopener noreferrer">Docs</a><br> <a href="https://github.com/Hookflo/tern" rel="noopener noreferrer">github.com/Hookflo/tern</a> — open source, MIT licensed, zero lock-in.</p> stripe webhooks typescript hookflo How to Verify Webhooks in Next.js (Stripe, GitHub, Polar, and More) Prateek Jain Fri, 20 Feb 2026 17:57:13 +0000 https://dev.to/prateek32177/how-to-verify-webhooks-in-nextjs-stripe-github-polar-and-more-efd https://dev.to/prateek32177/how-to-verify-webhooks-in-nextjs-stripe-github-polar-and-more-efd <p>If you've ever built a SaaS product, you've written this code:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">const</span> <span class="nx">sig</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">headers</span><span class="p">[</span><span class="dl">'</span><span class="s1">stripe-signature</span><span class="dl">'</span><span class="p">]</span> <span class="kd">const</span> <span class="nx">raw</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">getRawBody</span><span class="p">(</span><span class="nx">req</span><span class="p">)</span> <span class="kd">const</span> <span class="nx">ts</span> <span class="o">=</span> <span class="nx">sig</span><span class="p">.</span><span class="nf">split</span><span class="p">(</span><span class="dl">'</span><span class="s1">,</span><span class="dl">'</span><span class="p">)[</span><span class="mi">0</span><span class="p">].</span><span class="nf">split</span><span class="p">(</span><span class="dl">'</span><span class="s1">=</span><span class="dl">'</span><span class="p">)[</span><span class="mi">1</span><span class="p">]</span> <span class="kd">const</span> <span class="nx">s</span> <span class="o">=</span> <span class="nx">sig</span><span class="p">.</span><span class="nf">split</span><span class="p">(</span><span class="dl">'</span><span class="s1">,</span><span class="dl">'</span><span class="p">)[</span><span class="mi">1</span><span class="p">].</span><span class="nf">split</span><span class="p">(</span><span class="dl">'</span><span class="s1">=</span><span class="dl">'</span><span class="p">)[</span><span class="mi">1</span><span class="p">]</span> <span class="kd">const</span> <span class="nx">pl</span> <span class="o">=</span> <span class="s2">`</span><span class="p">${</span><span class="nx">ts</span><span class="p">}</span><span class="s2">.</span><span class="p">${</span><span class="nx">raw</span><span class="p">}</span><span class="s2">`</span> <span class="kd">const</span> <span class="nx">exp</span> <span class="o">=</span> <span class="nf">createHmac</span><span class="p">(</span><span class="dl">'</span><span class="s1">sha256</span><span class="dl">'</span><span class="p">,</span> <span class="nx">secret</span><span class="p">).</span><span class="nf">update</span><span class="p">(</span><span class="nx">pl</span><span class="p">).</span><span class="nf">digest</span><span class="p">(</span><span class="dl">'</span><span class="s1">hex</span><span class="dl">'</span><span class="p">)</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nf">timingSafeEqual</span><span class="p">(</span><span class="nx">Buffer</span><span class="p">.</span><span class="k">from</span><span class="p">(</span><span class="nx">s</span><span class="p">),</span> <span class="nx">Buffer</span><span class="p">.</span><span class="k">from</span><span class="p">(</span><span class="nx">exp</span><span class="p">)))</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">Error</span><span class="p">(</span><span class="dl">'</span><span class="s1">401</span><span class="dl">'</span><span class="p">)</span> <span class="k">if </span><span class="p">(</span><span class="nb">Date</span><span class="p">.</span><span class="nf">now</span><span class="p">()</span><span class="o">/</span><span class="mi">1</span><span class="nx">e3</span> <span class="o">-</span> <span class="nc">Number</span><span class="p">(</span><span class="nx">ts</span><span class="p">)</span> <span class="o">&gt;</span> <span class="mi">300</span><span class="p">)</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">Error</span><span class="p">(</span><span class="dl">'</span><span class="s1">replay attack</span><span class="dl">'</span><span class="p">)</span> </code></pre> </div> <p>Then three months later you add Polar. Then GitHub. Then Razorpay. Suddenly you have 200 lines of platform-specific signature verification code scattered across your codebase — all doing the same thing differently.</p> <p>This post shows you how to do it once, cleanly, with <a href="https://github.com/Hookflo/tern" rel="noopener noreferrer"><code>@hookflo/tern</code></a>.</p> <h2> Why Webhook Verification Is Harder Than It Looks </h2> <p>Every platform signs webhooks differently:</p> <ul> <li> <strong>Stripe</strong> — <code>t={timestamp},v1={signature}</code> comma-separated, HMAC-SHA256, payload is <code>timestamp.body</code> </li> <li> <strong>GitHub</strong> — <code>sha256={signature}</code> prefixed, HMAC-SHA256, payload is raw body</li> <li> <strong>Polar</strong> — <code>v1={signature}</code> space-separated, Standard Webhooks spec, base64 encoded secret</li> <li> <strong>WorkOS</strong> — millisecond timestamps (not seconds) — breaks every standard timestamp validator</li> <li> <strong>fal.ai</strong> — ED25519 asymmetric crypto with JWKS key rotation, no shared secret at all</li> </ul> <p>Each has subtle differences that are easy to get wrong. And wrong usually means silent failures — webhooks returning 400, retries flooding your server, events you never process.</p> <h2> Installation </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npm <span class="nb">install</span> @hookflo/tern </code></pre> </div> <h2> Basic Usage — Next.js App Router </h2> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// app/api/webhooks/stripe/route.ts</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">createWebhookHandler</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@hookflo/tern/nextjs</span><span class="dl">'</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">POST</span> <span class="o">=</span> <span class="nf">createWebhookHandler</span><span class="p">({</span> <span class="na">platform</span><span class="p">:</span> <span class="dl">'</span><span class="s1">stripe</span><span class="dl">'</span><span class="p">,</span> <span class="na">secret</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">STRIPE_WEBHOOK_SECRET</span><span class="o">!</span><span class="p">,</span> <span class="na">handler</span><span class="p">:</span> <span class="k">async </span><span class="p">(</span><span class="nx">payload</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="nx">payload</span><span class="p">.</span><span class="kd">type</span><span class="p">)</span> <span class="c1">// 'payment_intent.succeeded'</span> <span class="k">return</span> <span class="p">{</span> <span class="na">received</span><span class="p">:</span> <span class="kc">true</span> <span class="p">}</span> <span class="p">}</span> <span class="p">})</span> </code></pre> </div> <p>That's it. Tern handles:</p> <ul> <li>✅ Raw body extraction (the thing that breaks most webhook implementations)</li> <li>✅ Signature verification with timing-safe comparison</li> <li>✅ Replay attack protection via timestamp validation</li> <li>✅ Proper error codes (<code>MISSING_SIGNATURE</code>, <code>INVALID_SIGNATURE</code>, <code>TIMESTAMP_EXPIRED</code>)</li> </ul> <h2> The Key Insight — Change One Word to Switch Platforms </h2> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// Stripe</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">POST</span> <span class="o">=</span> <span class="nf">createWebhookHandler</span><span class="p">({</span> <span class="na">platform</span><span class="p">:</span> <span class="dl">'</span><span class="s1">stripe</span><span class="dl">'</span><span class="p">,</span> <span class="na">secret</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">STRIPE_WEBHOOK_SECRET</span><span class="o">!</span><span class="p">,</span> <span class="na">handler</span><span class="p">:</span> <span class="k">async </span><span class="p">(</span><span class="nx">payload</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">({</span> <span class="na">received</span><span class="p">:</span> <span class="kc">true</span> <span class="p">})</span> <span class="p">})</span> <span class="c1">// Polar — change one word</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">POST</span> <span class="o">=</span> <span class="nf">createWebhookHandler</span><span class="p">({</span> <span class="na">platform</span><span class="p">:</span> <span class="dl">'</span><span class="s1">polar</span><span class="dl">'</span><span class="p">,</span> <span class="na">secret</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">POLAR_WEBHOOK_SECRET</span><span class="o">!</span><span class="p">,</span> <span class="na">handler</span><span class="p">:</span> <span class="k">async </span><span class="p">(</span><span class="nx">payload</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">({</span> <span class="na">received</span><span class="p">:</span> <span class="kc">true</span> <span class="p">})</span> <span class="p">})</span> <span class="c1">// GitHub — change one word</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">POST</span> <span class="o">=</span> <span class="nf">createWebhookHandler</span><span class="p">({</span> <span class="na">platform</span><span class="p">:</span> <span class="dl">'</span><span class="s1">github</span><span class="dl">'</span><span class="p">,</span> <span class="na">secret</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">GITHUB_WEBHOOK_SECRET</span><span class="o">!</span><span class="p">,</span> <span class="na">handler</span><span class="p">:</span> <span class="k">async </span><span class="p">(</span><span class="nx">payload</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">({</span> <span class="na">received</span><span class="p">:</span> <span class="kc">true</span> <span class="p">})</span> <span class="p">})</span> <span class="c1">// Razorpay — change one word</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">POST</span> <span class="o">=</span> <span class="nf">createWebhookHandler</span><span class="p">({</span> <span class="na">platform</span><span class="p">:</span> <span class="dl">'</span><span class="s1">razorpay</span><span class="dl">'</span><span class="p">,</span> <span class="na">secret</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">RAZORPAY_WEBHOOK_SECRET</span><span class="o">!</span><span class="p">,</span> <span class="na">handler</span><span class="p">:</span> <span class="k">async </span><span class="p">(</span><span class="nx">payload</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">({</span> <span class="na">received</span><span class="p">:</span> <span class="kc">true</span> <span class="p">})</span> <span class="p">})</span> </code></pre> </div> <p>Same API. Every platform. The underlying algorithm differences — base64 vs hex, milliseconds vs seconds, prefixed vs comma-separated — are all handled internally.</p> <h2> Error Handling </h2> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">export</span> <span class="kd">const</span> <span class="nx">POST</span> <span class="o">=</span> <span class="nf">createWebhookHandler</span><span class="p">({</span> <span class="na">platform</span><span class="p">:</span> <span class="dl">'</span><span class="s1">stripe</span><span class="dl">'</span><span class="p">,</span> <span class="na">secret</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">STRIPE_WEBHOOK_SECRET</span><span class="o">!</span><span class="p">,</span> <span class="na">onError</span><span class="p">:</span> <span class="p">(</span><span class="nx">error</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">error</span><span class="p">(</span><span class="dl">'</span><span class="s1">Webhook failed:</span><span class="dl">'</span><span class="p">,</span> <span class="nx">error</span><span class="p">.</span><span class="nx">errorCode</span><span class="p">)</span> <span class="c1">// MISSING_SIGNATURE | INVALID_SIGNATURE | TIMESTAMP_EXPIRED</span> <span class="p">},</span> <span class="na">handler</span><span class="p">:</span> <span class="k">async </span><span class="p">(</span><span class="nx">payload</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">return</span> <span class="p">{</span> <span class="na">received</span><span class="p">:</span> <span class="kc">true</span> <span class="p">}</span> <span class="p">}</span> <span class="p">})</span> </code></pre> </div> <h2> Replay Attack Protection </h2> <p>Every platform that sends a timestamp gets automatic replay protection. If a webhook arrives more than 5 minutes after it was signed, Tern rejects it with <code>TIMESTAMP_EXPIRED</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">export</span> <span class="kd">const</span> <span class="nx">POST</span> <span class="o">=</span> <span class="nf">createWebhookHandler</span><span class="p">({</span> <span class="na">platform</span><span class="p">:</span> <span class="dl">'</span><span class="s1">stripe</span><span class="dl">'</span><span class="p">,</span> <span class="na">secret</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">STRIPE_WEBHOOK_SECRET</span><span class="o">!</span><span class="p">,</span> <span class="na">toleranceInSeconds</span><span class="p">:</span> <span class="mi">300</span><span class="p">,</span> <span class="c1">// default 5 minutes, adjust as needed</span> <span class="na">handler</span><span class="p">:</span> <span class="k">async </span><span class="p">(</span><span class="nx">payload</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">({</span> <span class="na">received</span><span class="p">:</span> <span class="kc">true</span> <span class="p">})</span> <span class="p">})</span> </code></pre> </div> <h2> Custom Platforms </h2> <p>Not on the list? Pass your own config — works with any HMAC scheme:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">export</span> <span class="kd">const</span> <span class="nx">POST</span> <span class="o">=</span> <span class="nf">createWebhookHandler</span><span class="p">({</span> <span class="na">platform</span><span class="p">:</span> <span class="dl">'</span><span class="s1">custom</span><span class="dl">'</span><span class="p">,</span> <span class="na">secret</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">MY_WEBHOOK_SECRET</span><span class="o">!</span><span class="p">,</span> <span class="na">signatureConfig</span><span class="p">:</span> <span class="p">{</span> <span class="na">algorithm</span><span class="p">:</span> <span class="dl">'</span><span class="s1">hmac-sha256</span><span class="dl">'</span><span class="p">,</span> <span class="na">headerName</span><span class="p">:</span> <span class="dl">'</span><span class="s1">x-my-signature</span><span class="dl">'</span><span class="p">,</span> <span class="na">headerFormat</span><span class="p">:</span> <span class="dl">'</span><span class="s1">raw</span><span class="dl">'</span><span class="p">,</span> <span class="na">payloadFormat</span><span class="p">:</span> <span class="dl">'</span><span class="s1">raw</span><span class="dl">'</span><span class="p">,</span> <span class="p">},</span> <span class="na">handler</span><span class="p">:</span> <span class="k">async </span><span class="p">(</span><span class="nx">payload</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">({</span> <span class="na">received</span><span class="p">:</span> <span class="kc">true</span> <span class="p">})</span> <span class="p">})</span> </code></pre> </div> <h2> Supported Platforms </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Platform</th> <th>Algorithm</th> <th>Status</th> </tr> </thead> <tbody> <tr> <td>Stripe</td> <td>HMAC-SHA256</td> <td>✅ Verified</td> </tr> <tr> <td>GitHub</td> <td>HMAC-SHA256</td> <td>✅ Verified</td> </tr> <tr> <td>Clerk</td> <td>HMAC-SHA256</td> <td>✅ Verified</td> </tr> <tr> <td>Polar</td> <td>HMAC-SHA256</td> <td>✅ Verified</td> </tr> <tr> <td>Shopify</td> <td>HMAC-SHA256</td> <td>✅ Verified</td> </tr> <tr> <td>WorkOS</td> <td>HMAC-SHA256</td> <td>✅ Verified</td> </tr> <tr> <td>Razorpay</td> <td>HMAC-SHA256</td> <td>✅ Verified</td> </tr> <tr> <td>Replicate</td> <td>HMAC-SHA256</td> <td>✅ Verified</td> </tr> <tr> <td>Paddle</td> <td>HMAC-SHA256</td> <td>✅ Verified</td> </tr> <tr> <td>LemonSqueezy</td> <td>HMAC-SHA256</td> <td>✅ Verified</td> </tr> <tr> <td>DodoPayments</td> <td>HMAC-SHA256</td> <td>✅ Verified</td> </tr> <tr> <td>fal.ai</td> <td>ED25519</td> <td>✅ Verified</td> </tr> </tbody> </table></div> <h2> Why Not Just Use Each Platform's Official SDK? </h2> <p>You could. But:</p> <ul> <li>Stripe's webhook verification ships as part of <code>stripe</code> — a 2MB package</li> <li>GitHub's requires <code>@octokit/webhooks</code> as a separate dep</li> <li>Polar, WorkOS, Razorpay, Replicate have no dedicated webhook verification packages</li> </ul> <p>You end up with multiple packages, multiple APIs, multiple ways to extract the raw body. Tern is <strong>zero dependencies</strong> and one API for all of them.</p> <h2> The Raw Body Problem </h2> <p>One thing that breaks most webhook implementations in Next.js is raw body parsing. JSON middleware re-parses the body and you lose the original bytes needed for HMAC verification.</p> <p>Tern handles this automatically — you never touch the raw body yourself.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// without tern — this breaks signature verification</span> <span class="k">export</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">POST</span><span class="p">(</span><span class="nx">req</span><span class="p">:</span> <span class="nx">Request</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">body</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">req</span><span class="p">.</span><span class="nf">json</span><span class="p">()</span> <span class="c1">// ← destroys raw body for HMAC</span> <span class="c1">// signature check will always fail from here</span> <span class="p">}</span> <span class="c1">// with tern — just works</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">POST</span> <span class="o">=</span> <span class="nf">createWebhookHandler</span><span class="p">({</span> <span class="na">platform</span><span class="p">:</span> <span class="dl">'</span><span class="s1">stripe</span><span class="dl">'</span><span class="p">,</span> <span class="na">secret</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">STRIPE_WEBHOOK_SECRET</span><span class="o">!</span><span class="p">,</span> <span class="na">handler</span><span class="p">:</span> <span class="k">async </span><span class="p">(</span><span class="nx">payload</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">({</span> <span class="na">received</span><span class="p">:</span> <span class="kc">true</span> <span class="p">})</span> <span class="c1">// raw body handled internally ✅</span> <span class="p">})</span> </code></pre> </div> <h2> Getting Started </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npm <span class="nb">install</span> @hookflo/tern </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">createWebhookHandler</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@hookflo/tern/nextjs</span><span class="dl">'</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">POST</span> <span class="o">=</span> <span class="nf">createWebhookHandler</span><span class="p">({</span> <span class="na">platform</span><span class="p">:</span> <span class="dl">'</span><span class="s1">stripe</span><span class="dl">'</span><span class="p">,</span> <span class="c1">// swap to any supported platform</span> <span class="na">secret</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">WEBHOOK_SECRET</span><span class="o">!</span><span class="p">,</span> <span class="na">handler</span><span class="p">:</span> <span class="k">async </span><span class="p">(</span><span class="nx">payload</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="c1">// your logic here</span> <span class="k">return</span> <span class="p">{</span> <span class="na">received</span><span class="p">:</span> <span class="kc">true</span> <span class="p">}</span> <span class="p">}</span> <span class="p">})</span> </code></pre> </div> <p><strong>Links:</strong></p> <ul> <li>GitHub: <a href="https://github.com/Hookflo/tern" rel="noopener noreferrer">github.com/Hookflo/tern</a> </li> <li>npm: <a href="https://npmjs.com/package/@hookflo/tern" rel="noopener noreferrer">npmjs.com/package/@hookflo/tern</a> </li> <li>Discord: <a href="https://discord.com/invite/SNmCjU97nr" rel="noopener noreferrer">Hookflo Community</a> </li> </ul> <p><em>Built by <a href="https://hookflo.com" rel="noopener noreferrer">Hookflo</a> — webhook infrastructure for modern SaaS. Star the repo if this helped ⭐</em></p> nextjs typescript webhooks opensource