Skip to content
Error

Webhook signature mismatch: why verification fails

Signature checks fail for a short list of reasons — almost always the body was mutated before signing, or the wrong secret or encoding was used.

A signature mismatch means the HMAC your endpoint computed does not equal the one in the request header, so you reject the delivery with 401 or 400. The signature is correct far more often than not — the mismatch is usually about what you signed.

Common causes

  • Parsed vs raw body — a framework parsed the JSON before you signed it, so you hashed a re-serialized string with different whitespace/key order. Sign the raw bytes.
  • Wrong secret — a test-mode secret against live traffic, or an endpoint-specific secret mixed up.
  • Encoding — comparing hex to base64, or different casing.
  • Timestamp tolerance — providers like Stripe sign timestamp + "." + body and reject stale timestamps; a retried or delayed delivery can fall outside the window.

Confirm it

Use the HMAC signature verifier to compute the expected signature from the exact payload and secret, and compare it to the header. For Stripe specifically, see Stripe signature verification. In HookWatch, the captured request shows the raw body and headers so you can reproduce the check.

Get started

Start debugging your webhooks.

Point one endpoint at HookWatch, capture a failure, and replay it once it’s fixed. Free during beta.