{timestamp}.{body}, carried in the Stripe-Signature header as t=<unix>,v1=<hex>. Register your endpoint’s signing secret on webhook.co and every inbound request is verified against the exact captured bytes, then stamped with a verification state.
Get the signing secret
In the Stripe Dashboard, open Developers → Webhooks, select (or add) the endpoint pointing at your webhook.co ingest URL, and reveal its Signing secret. It starts withwhsec_.
Register it on your endpoint
Replay window
Because Stripe signs the timestamp, webhook.co enforces a 5-minute tolerance — a request whoset is older than that fails verification rather than being accepted as a possible replay. One signing secret per endpoint is enough; a Stripe-Signature may carry several v1= values during a secret roll, and any match verifies.
Confirm
verified; a bad signature or an expired timestamp shows failed.