Webhooks
This guide provides best practices for handling webhooks from SignEngine.
Verifying Signatures
To ensure that the webhook requests you receive are genuinely from SignEngine, you should verify the signature included in the headers.
For Stripe webhooks, this involves checking the stripe-signature header against your endpoint's secret.
Retries
If your server returns a non-2xx response (e.g., 500, 503, 404), SignEngine (or the provider like Stripe) will attempt to resend the notification.
Best Practice: Ensure your webhook handler is idempotent. This means that processing the same event multiple times should not have adverse side effects (e.g., deduplicate based on Event ID).
Security
- Use HTTPS for your webhook endpoints.
- Validate signatures.
- Return a
200 OKas quickly as possible, then process the business logic asynchronously if it takes time.