slug you register the secret under, the signature scheme (HMAC digest is SHA-256 unless noted), the exact signature header, and whether the provider uses a setup handshake (answered automatically). A handful of providers carry the signature in the request body or a form field rather than a header — noted inline.
Most providers take a single
signing_secret (the default kind, so you can omit it). Three
handshake-and-key cases take an extra kind: Meta and eBay accept a verify_token for
their challenge, and Braintree accepts a braintree_public_key alongside its signing secret.
See managing provider secrets.Standard Webhooks
The open Standard Webhooks construction: HMAC-SHA256 over{id}.{ts}.{body}, base64, secret decoded from a whsec_-prefixed key. If your sender implements this spec, this family is the one to match.
| Provider | slug | Scheme | Signature header | Handshake |
|---|---|---|---|---|
| Standard Webhooks | standard_webhooks | HMAC-SHA256 | webhook-signature | — |
| Clerk | clerk | HMAC-SHA256 | svix-signature | — |
| Resend | resend | HMAC-SHA256 | svix-signature | — |
| Stytch | stytch | HMAC-SHA256 | svix-signature | — |
| Supabase | supabase | HMAC-SHA256 | webhook-signature | — |
| Render | render | HMAC-SHA256 | webhook-signature | — |
| Brex | brex | HMAC-SHA256 | webhook-signature | — |
| OpenAI | openai | HMAC-SHA256 | webhook-signature | — |
| Replicate | replicate | HMAC-SHA256 | webhook-signature | — |
| Polar | polar | HMAC-SHA256 | webhook-signature | — |
| Google Gemini | gemini | HMAC-SHA256 | webhook-signature | — |
| incident.io | incident_io | HMAC-SHA256 | webhook-signature | — |
| Etsy | etsy | HMAC-SHA256 | webhook-signature | — |
| Vanta | vanta | HMAC-SHA256 | svix-signature | — |
| Loops | loops | HMAC-SHA256 | webhook-signature | — |
| Increase | increase | HMAC-SHA256 | webhook-signature | — |
| Finch | finch | HMAC-SHA256 | finch-signature | — |
HMAC over the raw body
The signature is computed over the exact request body verbatim — the most common scheme. Digest is SHA-256 unless the row says otherwise.| Provider | slug | Scheme | Signature header | Handshake |
|---|---|---|---|---|
| GitHub | github | HMAC-SHA256 | x-hub-signature-256 | — |
| Shopify | shopify | HMAC-SHA256 | x-shopify-hmac-sha256 | — |
| Meta | meta | HMAC-SHA256 | x-hub-signature-256 | Yes |
| Pusher | pusher | HMAC-SHA256 | x-pusher-signature | — |
| QuickBooks | quickbooks | HMAC-SHA256 | intuit-signature | — |
| Chargify | chargify | HMAC-SHA256 | x-chargify-webhook-signature-hmac-sha-256 | — |
| LaunchDarkly | launchdarkly | HMAC-SHA256 | x-ld-signature | — |
| Modern Treasury | modern_treasury | HMAC-SHA256 | x-signature | — |
| Autodesk Platform Services | autodesk_aps | HMAC-SHA1 | x-adsk-signature | — |
| MongoDB Atlas | mongodb_atlas | HMAC-SHA1 | x-mms-signature | — |
| Xero | xero | HMAC-SHA256 | x-xero-signature | — |
| Segment | segment | HMAC-SHA1 | x-signature | — |
| AfterShip | aftership | HMAC-SHA256 | aftership-hmac-sha256 | — |
| Onfleet | onfleet | HMAC-SHA512 | x-onfleet-signature | — |
| Microsoft Teams | ms_teams | HMAC-SHA256 | authorization (HMAC <b64>) | — |
| Ably | ably | HMAC-SHA256 | x-ably-signature | — |
| Squarespace | squarespace | HMAC-SHA256 | squarespace-signature | — |
| Nylas | nylas | HMAC-SHA256 | x-nylas-signature | — |
linkedin | HMAC-SHA256 | x-li-signature | — | |
| Bolt | bolt | HMAC-SHA256 | x-bolt-hmac-sha256 | — |
| Primer | primer | HMAC-SHA256 | x-signature-primary | — |
| Tally | tally | HMAC-SHA256 | tally-signature | — |
| Framer | framer | HMAC-SHA256 | framer-signature | — |
| Ashby | ashby | HMAC-SHA256 | ashby-signature | — |
| Merge | merge_dev | HMAC-SHA256 | x-merge-webhook-signature | — |
| Cronofy | cronofy | HMAC-SHA256 | cronofy-hmac-sha256 | — |
| Deel | deel | HMAC-SHA256 | x-deel-signature | — |
| Razorpay | razorpay | HMAC-SHA256 | x-razorpay-signature | — |
| Sentry | sentry | HMAC-SHA256 | sentry-hook-signature | — |
| Linear | linear | HMAC-SHA256 | linear-signature | — |
| Dropbox | dropbox | HMAC-SHA256 | x-dropbox-signature | Yes |
| Checkout.com | checkout_com | HMAC-SHA256 | cko-signature | — |
| Lemon Squeezy | lemon_squeezy | HMAC-SHA256 | x-signature | — |
| Coinbase Commerce | coinbase_commerce | HMAC-SHA256 | x-cc-webhook-signature | — |
| Dwolla | dwolla | HMAC-SHA256 | x-request-signature-sha-256 | — |
| GoCardless | gocardless | HMAC-SHA256 | webhook-signature | — |
| Notion | notion | HMAC-SHA256 | x-notion-signature | — |
| WooCommerce | woocommerce | HMAC-SHA256 | x-wc-webhook-signature | — |
| Bitbucket | bitbucket | HMAC-SHA256 | x-hub-signature | — |
| Jira (system webhooks) | atlassian_jira | HMAC-SHA256 | x-hub-signature | — |
| X (Twitter) | x | HMAC-SHA256 | x-twitter-webhooks-signature | Yes |
| ClickUp | clickup | HMAC-SHA256 | x-signature | — |
| npm | npm | HMAC-SHA256 | x-npm-signature | — |
| Heroku | heroku | HMAC-SHA256 | heroku-webhook-hmac-sha256 | — |
| Dub | dub | HMAC-SHA256 | dub-signature | — |
| Cal.com | cal_com | HMAC-SHA256 | x-cal-signature-256 | — |
| Asana | asana | HMAC-SHA256 | x-hook-signature | Yes |
| CircleCI | circleci | HMAC-SHA256 | circleci-signature | — |
| PagerDuty | pagerduty | HMAC-SHA256 | x-pagerduty-signature | — |
| Airtable | airtable | HMAC-SHA256 | x-airtable-content-mac | — |
| DocuSign | docusign | HMAC-SHA256 | x-docusign-signature-1 | — |
| Vercel | vercel | HMAC-SHA1 | x-vercel-signature | — |
| Intercom | intercom | HMAC-SHA1 | x-hub-signature | — |
| Paystack | paystack | HMAC-SHA512 | x-paystack-signature | — |
| Authorize.Net | authorize_net | HMAC-SHA512 | x-anet-signature | — |
| Typeform | typeform | HMAC-SHA256 | typeform-signature | — |
HMAC with a signed timestamp
The signed message includes a timestamp (from a header or a field inside the signature header), so the signature also fences a replay window. Digest is SHA-256 unless noted.| Provider | slug | Scheme | Signature header | Handshake |
|---|---|---|---|---|
| Stripe | stripe | HMAC-SHA256 | stripe-signature | — |
| Slack | slack | HMAC-SHA256 | x-slack-signature | Yes |
| Webflow | webflow | HMAC-SHA256 | x-webflow-signature | — |
| Klaviyo | klaviyo | HMAC-SHA256 | klaviyo-signature | — |
| Mux | mux | HMAC-SHA256 | mux-signature | — |
| Shippo | shippo | HMAC-SHA256 | shippo-auth-signature | — |
| Buildkite | buildkite | HMAC-SHA256 | x-buildkite-signature | — |
| TikTok | tiktok | HMAC-SHA256 | tiktok-signature | — |
| Airship | airship | HMAC-SHA256 | x-ua-signature | — |
| Lob | lob | HMAC-SHA256 | lob-signature | — |
| Persona | persona | HMAC-SHA256 | persona-signature | — |
| Airwallex | airwallex | HMAC-SHA256 | x-signature | — |
| Affirm | affirm | HMAC-SHA512 | x-affirm-signature | — |
| Customer.io (Journeys) | customer_io | HMAC-SHA256 | x-cio-signature | — |
| Box | box | HMAC-SHA256 | box-signature-primary | — |
| ConfigCat | configcat | HMAC-SHA256 | x-configcat-webhook-signature-v1 | — |
| Knock | knock | HMAC-SHA256 | x-knock-signature | — |
| Calendly | calendly | HMAC-SHA256 | calendly-webhook-signature | — |
| Zoom | zoom | HMAC-SHA256 | x-zm-signature | Yes |
| Customer.io (Data Pipelines) | customerio | HMAC-SHA256 | x-cio-signature | — |
| Sinch | sinch | HMAC-SHA256 | x-sinch-webhook-signature | — |
| WorkOS | workos | HMAC-SHA256 | workos-signature | — |
| Front | front | HMAC-SHA256 | x-front-signature | — |
| Zendesk | zendesk | HMAC-SHA256 | x-zendesk-webhook-signature | — |
| Twitch | twitch | HMAC-SHA256 | twitch-eventsub-message-signature | Yes |
| Paddle | paddle | HMAC-SHA256 | paddle-signature | — |
| Recurly | recurly | HMAC-SHA256 | recurly-signature | — |
| Sanity | sanity | HMAC-SHA256 | sanity-webhook-signature | — |
HMAC over request context
These sign more than the body — the request URL, sorted form fields, specific JSON fields, or a manifest. Some carry the signature in the body or a form field rather than a header.| Provider | slug | Scheme | Signature location | Handshake |
|---|---|---|---|---|
| Square | square | HMAC-SHA256 · URL + body | x-square-hmacsha256-signature | — |
| Trello | trello | HMAC-SHA1 · body + URL | x-trello-webhook | — |
| Twilio | twilio | HMAC-SHA1 · URL + form fields | x-twilio-signature | — |
| Mailchimp Transactional (Mandrill) | mandrill | HMAC-SHA1 · URL + form fields | x-mandrill-signature | — |
| HubSpot | hubspot | HMAC-SHA256 · method + URL + body + ts | x-hubspot-signature-v3 | — |
| Adyen | adyen | HMAC-SHA256 · signed body fields | in body (hmacSignature) | — |
| Mailgun | mailgun | HMAC-SHA256 · timestamp + token | in body (signature) | — |
| Mercado Pago | mercado_pago | HMAC-SHA256 · id/request-id/ts manifest | x-signature | — |
| Braintree | braintree | HMAC-SHA1 · signs bt_payload | form field (bt_signature) | Yes |
| Contentful | contentful | HMAC-SHA256 · canonical request | x-contentful-signature | — |
| Plivo | plivo | HMAC-SHA256 · URL + body | x-plivo-signature-v3 | — |
JWT (HS256)
The signature is a JWT signed with a shared secret. Some bind the body via a hash claim; others prove origin, destination, and freshness without hashing the body.| Provider | slug | Scheme | Signature header | Handshake |
|---|---|---|---|---|
| MessageBird (Bird) | messagebird | JWT HS256 · body-hash claim | messagebird-signature-jwt | — |
| Netlify | netlify | JWT HS256 · body-hash claim | x-webhook-signature | — |
| Vonage | vonage | JWT HS256 · body-hash claim | authorization (Bearer) | — |
| monday.com | monday | JWT HS256 · origin-bound | authorization | Yes |
| Jira (Connect apps) | jira_connect | JWT HS256 · qsh-bound | authorization (JWT) | — |
Asymmetric signatures
Public-key verification — you register the provider’s public key (or, for remote-key providers, an issuer URL or app credentials the engine uses to fetch the key). Nothing you hold can forge one of these.| Provider | slug | Scheme | Signature location | Handshake |
|---|---|---|---|---|
| Keygen | keygen | Ed25519 | keygen-signature | — |
| Constant Contact | constant_contact | RS256 (remote JWKS) | x-ctct-webhook-sig | — |
| Discord | discord | Ed25519 | x-signature-ed25519 | Yes |
| Telnyx | telnyx | Ed25519 | telnyx-signature-ed25519 | — |
| SendGrid | sendgrid | ECDSA P-256 | x-twilio-email-event-webhook-signature | — |
| Wise | wise | RSA-SHA256 | x-signature-sha256 | — |
| Kinde | kinde | RS256 JWT (remote JWKS) | body is a JWT (no header) | — |
| PayPal | paypal | RSA (remote cert) | paypal-transmission-sig | — |
| Amazon SNS | aws_sns | RSA (remote cert) | in body (message JSON) | — |
| Plaid | plaid | ES256 JWT (remote key) | plaid-verification | — |
| eBay | ebay | ECDSA-SHA1 (remote key) | x-ebay-signature | Yes |
Token / HTTP Basic
These don’t sign the payload — they prove the source with a shared static token or HTTP Basic credential. A match is real but weaker than a signature, so verified events land in theauthenticated state, never verified. Where the header is operator-configured, you register the header name alongside the token.
| Provider | slug | Scheme | Credential location | Handshake |
|---|---|---|---|---|
| Telegram | telegram | Static token | x-telegram-bot-api-secret-token | — |
| GitLab | gitlab | Static token | x-gitlab-token | — |
| Microsoft Graph | microsoft_graph | Static token | in body (clientState) | Yes |
| Chargebee | chargebee | HTTP Basic | authorization (Basic) | — |
| Postmark | postmark | HTTP Basic | authorization (Basic) | — |
| SparkPost | sparkpost | HTTP Basic | authorization (Basic) | — |
| Mixpanel | mixpanel | HTTP Basic | authorization (Basic) | — |
| Okta | okta | Static token | operator-configured header | Yes |
| BigCommerce | bigcommerce | Static token | operator-configured header | — |
| Datadog | datadog | Static token | operator-configured header | — |
| Brevo | brevo | Static token | operator-configured header | — |
| New Relic | new_relic | Static token | operator-configured header | — |
| Fillout | fillout | Static token | operator-configured header | — |
| Zapier | zapier | Static token | operator-configured header | — |