Signature Verification

Every webhook received by Transyt is cryptographically verified using the provider’s specific signature scheme. This ensures webhooks are authentic and haven’t been tampered with in transit.

Verification by Provider

Provider	Algorithm	Header
Stripe	HMAC-SHA256 + timestamp	`Stripe-Signature`
SignalWire	HMAC-SHA1 / HMAC-SHA256	`X-SignalWire-Signature` / `X-Twilio-Signature`
Twilio	HMAC-SHA1	`X-Twilio-Signature`
Lob	HMAC-SHA256 + timestamp	`Lob-Signature`
SES/SNS	RSA certificate verification	SNS message fields
Mailgun	HMAC-SHA256	Body fields (`signature.timestamp`, `signature.token`, `signature.signature`)
Resend	Svix HMAC-SHA256	`svix-id`, `svix-timestamp`, `svix-signature`
Ramp	HMAC-SHA256	`X-Ramp-Webhook-Signature`
Linear	HMAC-SHA256	`Linear-Signature`
Authorize.net	HMAC-SHA512	`X-ANET-Signature`
Crisp	URL key parameter	Query string `?key=`
WhatConverts	URL key parameter	Query string `?key=`
Generic	Flexible (header, Bearer, URL param)	Multiple

Timestamp Validation

Providers that include timestamps in their signatures (Stripe, Lob, Resend) are validated against a 5-minute tolerance window (300 seconds). This prevents replay attacks where a captured valid webhook is re-sent later.

Failed Verification

When signature verification fails:

The event is stored with status = rejected
The raw headers are preserved for debugging
The last_error field contains the rejection reason
A 401 Unauthorized response is returned to the provider

This approach ensures you can debug verification failures without losing the webhook data.

Skipping Verification

For development or testing, you can set skip_signature_verification: true on a provider account. This bypasses signature checks entirely.

Constant-Time Comparison

All signature comparisons use constant-time algorithms (hmac.compare_digest) to prevent timing attacks. This applies to both HMAC signature verification and URL key parameter authentication.