Skip to main content
Your receiver shouldn’t carry a verifier for every provider you integrate. Verify each provider at ingestion, subscribe them all to one destination, and webhook.co re-signs the fan-in stream with a single Standard Webhooks secret — so your service verifies exactly one signature, not a dozen.
1

Verify each provider on its own endpoint

One endpoint per source, each with its provider secret registered.
wbhk endpoints add-provider-secret <stripe-endpoint>  --provider stripe
wbhk endpoints add-provider-secret <shopify-endpoint> --provider shopify
wbhk endpoints add-provider-secret <github-endpoint>  --provider github
2

Register one destination — your receiver

add returns a signing secret, shown once. Configure it in your receiver’s Standard Webhooks verifier.
wbhk replay-destinations add https://api.example.com/ingest --label unified
# → signing secret (shown once): whsec...
3

Subscribe every endpoint to that one destination

--require-verified routes only events whose source was authenticated (the verified and authenticated states), dropping unattempted and failed. webhook.co re-signs each with the destination’s secret — the un-forgeable verification state gates whether we vouch for it, so a forged event never carries your signature.
wbhk subscriptions add <stripe-endpoint>  <destination-id> --require-verified
wbhk subscriptions add <shopify-endpoint> <destination-id> --require-verified
wbhk subscriptions add <github-endpoint>  <destination-id> --require-verified
Every subscription to the same destination delivers under the same signing secret, so your receiver runs one verifier. Rotate it in one place — see rotate a signing secret.