phito-webhook-authentication | Stripe Developers | Page 1

grave masonBOT Jan 16, 2023, 7:21 PM

#

lament onyx Jan 16, 2023, 7:22 PM

#

phito-webhook-authentication

#

Correct, Stripe makes an HTTPS POST request to the URL set for you webhook endpoint. It can't do authentication (other than adding a secret in the URL). So you'd need to remove authentication on that endpoint/URL specifically

#

cc @undone lichen to make sure you see this ^

undone lichen Jan 16, 2023, 7:26 PM

#

lament onyx Correct, Stripe makes an HTTPS POST request to the URL set for you webhook endpo...

Thanks for replying! Dang. My use case is I’m trying to make an “account balance” for each user. So that we hook would be my source of truth for how much money each user has added to and spent from their “account”. If Stripe can’t authenticate, does that mean anyone in the world with my endpoint URL can send fake events and add money to their account without truly paying through stripe?

lament onyx Jan 16, 2023, 7:27 PM

#

https://stripe.com/docs/webhooks/signatures

#

you can verify that the Event comes from Stripe and is genuine

#phito-webhook-authentication