Webhook Secret Mismatch – Signature Failure Verdict

Verdict (TL;DR)

CONTINUE only if signature verification fails.
Otherwise, STOP investigating secrets.

Why this happens (structural)

Webhook signatures fail when the signing secret does not match the expected value or when the raw request body has been altered.

Why further debugging often fails

Guessing secrets or re-copying values does not increase certainty. Only cryptographic verification resolves this.

Responsibility boundary

Secret correctness is a shared boundary. Payload integrity is the receiver's responsibility.

What evidence would change this verdict

• Deterministic cryptographic verification result

Deterministic verification

Use the Stripe signature verifier: https://webhookverdict.com/tools/stripe-webhook-signature-verifier/

Final decision

CONDITIONAL.
Continue only with verified cryptographic evidence.