Guide
Webhook Signature Schemes
Most providers sign webhooks with HMAC, but the exact input is not universal. Some sign only the raw body, some include timestamps or ids, some sign the URL, and some use public-key verification instead of a shared secret.
69 source types6 scheme groupsGenerated from source docsProvider pages stay canonical
How to use this matrix
Use this page to identify the verification family. Then open the provider source page for the exact header names, FastHook field, setup challenge, and official provider documentation.
Raw body means exact body.Do not trim, reformat, or reserialize JSON before checking a digest.
Timestamped signatures include metadata.The separator and prefix matter as much as the algorithm.
URL-aware signatures are brittle by design.Changing query strings, hosts, or callback URLs can invalidate signatures.
Public-key schemes do not share a secret.Configure the public key, webhook id, certificate, or app public key instead.
32 source types
Raw-body HMAC
The provider signs the exact request body. Encoding, whitespace, key order, and line endings must match the bytes FastHook receives.raw body, usually HMAC-SHA256; some providers use SHA-1, SHA-512, hex, or base64 outputWEBHOOKCustom WebhookFastHook can verify a generic HMAC-SHA256 signature over the raw request body, or use Basic Auth/API key checks before queueing.GITHUBGitHubFastHook computes HMAC-SHA256 over the exact raw request body and compares it to x-hub-signature-256 with the sha256= prefix.SHOPIFYShopifyFastHook computes a base64 HMAC-SHA256 digest over the raw request body and compares it to x-shopify-hmac-sha256.METAMetaFastHook verifies POST deliveries with x-hub-signature-256 and answers GET hub.challenge checks only when hub.verify_token matches.LINELINEFastHook computes a base64 HMAC-SHA256 digest over the raw request body and compares it to x-line-signature.DOCUSIGNDocuSignFastHook computes base64 HMAC-SHA256 over the raw body and compares it with x-docusign-signature-1 through x-docusign-signature-100.DROPBOXDropboxFastHook echoes GET ?challenge=... and verifies POST x-dropbox-signature as HMAC-SHA256 hex over the raw body.INTERCOMIntercomFastHook computes sha1= HMAC-SHA1 over the raw body and compares it with x-hub-signature.LINEARLinearFastHook computes HMAC-SHA256 hex over the raw body and compares it to linear-signature while preserving Linear provider headers for downstream routing.TYPEFORMTypeformFastHook computes base64 HMAC-SHA256 over the raw body and compares it to typeform-signature with the sha256= prefix.COINBASE_COMMERCECoinbase CommerceFastHook verifies x-cc-webhook-signature as HMAC-SHA256 over the raw body, and also supports the timestamped x-hook0-signature form.RAZORPAYRazorpayFastHook computes HMAC-SHA256 hex over the raw body and compares it with x-razorpay-signature.LEMON_SQUEEZYLemon SqueezyFastHook computes HMAC-SHA256 hex over the raw body and compares it with x-signature.ASANAAsanaFastHook answers the x-hook-secret handshake and verifies later x-hook-signature HMAC-SHA256 values over the raw body.NYLASNylasFastHook echoes GET ?challenge=... and verifies x-nylas-signature as HMAC-SHA256 hex over the raw body.XEROXeroFastHook computes a base64 HMAC-SHA256 digest over the raw body and compares it to x-xero-signature.BITBUCKETBitbucketFastHook computes sha256= HMAC-SHA256 over the raw body and compares it with x-hub-signature.WOO_COMMERCEWooCommerceFastHook computes base64 HMAC-SHA256 over the raw body and compares it with x-wc-webhook-signature.WEBEXWebexFastHook computes HMAC-SHA1 hex over the raw body and compares it with x-spark-signature.VERCELVercelFastHook computes HMAC-SHA1 hex over the raw body and compares it with x-vercel-signature.HEROKUHerokuFastHook computes base64 HMAC-SHA256 over the raw body and compares it with heroku-webhook-hmac-sha256.CIRCLECICircleCIFastHook computes HMAC-SHA256 hex over the raw body and compares it with the v1 value in circleci-signature.LAUNCHDARKLYLaunchDarklyFastHook computes HMAC-SHA256 hex over the raw body and compares it with x-ld-signature.CLICKUPClickUpFastHook computes HMAC-SHA256 hex over the raw body and compares it with x-signature.GRAFANAGrafanaFastHook verifies HMAC-SHA256 hex over raw body, or timestamp + ':' + raw body when a timestamp header is configured.SENTRYSentryFastHook computes HMAC-SHA256 hex over the raw body and compares it with sentry-hook-signature.NOTIONNotionFastHook computes sha256= HMAC-SHA256 over the raw body with the Notion verification token and compares it with x-notion-signature.PAYSTACKPaystackFastHook computes HMAC-SHA512 over the raw request body using the configured secret key and compares it with x-paystack-signature.GOCARDLESSGoCardlessFastHook computes HMAC-SHA256 hex over the raw body with the webhook endpoint secret and compares it with webhook-signature.PAGERDUTYPagerDutyFastHook parses x-pagerduty-signature, extracts v1 values, and accepts any HMAC-SHA256 hex digest that matches the raw body.CHARGEBEE_RETENTIONChargebee RetentionFastHook computes HMAC-SHA1 hex over the raw request body and accepts either the raw digest or sha1= digest form in x-hub-signature.CHECKOUT_COMCheckout.comFastHook computes HMAC-SHA256 hex over the raw request body with the configured secret key and compares it with cko-signature.
16 source types
Timestamped HMAC
The provider includes a timestamp, message id, or version prefix in the signed value. FastHook verifies both the header shape and the provider-specific signing input.timestamp or message metadata plus raw body, joined with the provider's required separatorSTRIPEStripeFastHook reads stripe-signature, validates the timestamp, and verifies the v1 HMAC-SHA256 signature over timestamp + '.' + raw body.SLACKSlackFastHook verifies x-slack-signature by signing v0:timestamp:raw-body and checks the timestamp tolerance.ZOOMZoomFastHook verifies x-zm-signature over v0:timestamp:raw-body and returns encryptedToken for Zoom endpoint.url_validation payloads.MAILGUNMailgunFastHook computes HMAC-SHA256 over timestamp + token and compares it with the Mailgun signature field.CALENDLYCalendlyFastHook verifies calendly-webhook-signature by signing timestamp + '.' + raw body with HMAC-SHA256.PADDLEPaddleFastHook verifies paddle-signature by signing timestamp + ':' + raw body with HMAC-SHA256.ZENDESKZendeskFastHook signs timestamp + raw body with HMAC-SHA256 and compares the base64 digest to x-zendesk-webhook-signature.WORKOSWorkOSFastHook verifies workos-signature by signing timestamp + '.' + raw body with HMAC-SHA256 and millisecond timestamp validation.MUXMuxFastHook verifies mux-signature by signing timestamp + '.' + raw body with HMAC-SHA256.BUILDKITEBuildkiteFastHook verifies x-buildkite-signature by signing timestamp + '.' + raw body with HMAC-SHA256.KLAVIYOKlaviyoFastHook signs raw body + timestamp with HMAC-SHA256 and compares the hex digest to klaviyo-signature.CUSTOMER_IOCustomer.ioFastHook signs v0:timestamp:raw-body with HMAC-SHA256 and compares it to x-cio-signature.HYGRAPHHygraphFastHook parses gcms-signature, builds the Hygraph signed JSON envelope with body, environment, and timestamp, then verifies the base64 HMAC-SHA256 signature.SANITYSanityFastHook signs timestamp + '.' + raw body with HMAC-SHA256, normalizes base64url, and compares it to the v1 signature.TWITCHTwitchFastHook signs message id + timestamp + raw body with HMAC-SHA256, prefixes the digest with sha256=, and compares it with twitch-eventsub-message-signature.CLOUDINARYCloudinaryFastHook validates x-cld-timestamp, signs raw body + timestamp + API secret, and accepts Cloudinary SHA-1 or SHA-256 signature digests.
6 source types
Svix and Standard Webhooks
These providers use a message id, timestamp, and signature header pattern. FastHook handles the canonical message string and whsec-style secret formats.message id + timestamp + raw bodySVIXSvixFastHook verifies the Svix signature over message-id + '.' + timestamp + '.' + raw body using the configured whsec secret.GITLABGitLabFastHook uses Svix verification when webhook-signature is present; otherwise it compares x-gitlab-token with the configured token.CLERKClerkFastHook uses Svix verification over message id, timestamp, and raw body with the configured whsec secret.RESENDResendFastHook uses Svix verification over message id, timestamp, and raw body with the configured whsec secret.OPENAIOpenAIFastHook verifies webhook-signature over webhook-id + '.' + webhook-timestamp + '.' + raw body using the configured Standard Webhooks secret.BIGCOMMERCEBigCommerceFastHook verifies webhook-signature over webhook-id + '.' + webhook-timestamp + '.' + raw body using the configured Standard Webhooks secret.
4 source types
URL-aware signatures
The callback URL, request URI, form parameters, or callback URL value is part of the signature input. Changing provider URLs or query strings can break verification.public URL or request URI plus body or form fieldsTWILIOTwilioFastHook verifies x-twilio-signature using the public request URL, form parameters when applicable, and bodySHA256 when Twilio sends it.HUBSPOTHubSpotFastHook signs method + request URI + raw body + timestamp with HMAC-SHA256 and compares the base64 digest.SQUARESquareFastHook signs request URL + raw body with HMAC-SHA256 and compares the base64 digest to x-square-hmacsha256-signature.TRELLOTrelloFastHook answers HEAD validation with 200 and verifies x-trello-webhook as HMAC-SHA1 base64 over raw body + callback URL.
4 source types
Public-key and RSA verification
The provider signs with its private key. FastHook verifies with a public verification key, certificate, webhook id, or application public key.provider canonical string plus public-key verificationSENDGRIDSendGridFastHook verifies the ECDSA P-256 signature over timestamp + raw body using the configured public verification key.DISCORDDiscordFastHook verifies the Ed25519 signature over timestamp + raw body using the Discord application public key.AWS_SNSAWS SNSFastHook builds the canonical SNS string and verifies the RSA PKCS#1 signature using the SNS certificate or configured public key.PAYPALPayPalFastHook verifies the PayPal RSA signature over transmission id, time, webhook id, and CRC32 of the raw body.
6 source types
Token, Basic Auth, and challenge checks
Some providers prove identity with a static header, Basic Auth credentials, validation token, or one-time challenge instead of body hashing.configured header value, Basic Auth credentials, client state, or setup challenge tokenMICROSOFT_GRAPHMicrosoft GraphMicrosoft Graph validation is challenge-based. FastHook echoes validationToken and optionally verifies notification clientState values.TELEGRAMTelegramFastHook compares x-telegram-bot-api-secret-token with the configured secret token before queueing.POSTMARKPostmarkFastHook verifies the Authorization Basic header against the configured username and password.OKTAOktaFastHook returns Okta's verification challenge and compares the Authorization header with the configured secret for event deliveries.REVENUECATRevenueCatFastHook compares the Authorization header with the configured value and does not need to read the raw body for this provider.AUTH0Auth0FastHook compares the Authorization header with the configured value and does not need to read the raw body for this provider.
1 source types
Other source checks
Source types that are not yet classified into one of the main scheme groups.Debugging checklist
- Match the provider source type before deciding which secret or public key to paste into FastHook.
- Check the exact signature header and prefix on the provider page, not just the algorithm name.
- For HMAC failures, compare the raw body FastHook received with the body your test command signed.
- For timestamped schemes, confirm the timestamp header, separator, version prefix, and clock tolerance.
- For URL-aware schemes, keep the provider callback URL stable after registration.
- Use Requests to inspect rejected source auth records before debugging connection or destination delivery.