Why Verify?
Since your webhook endpoint is publicly accessible, anyone could send requests to it pretending to be storekit. Signature verification prevents:- Spoofed requests: Attackers sending fake webhooks
- Replay attacks: Old webhooks being resent maliciously
- Data tampering: Modification of webhook payloads in transit
Using Svix Libraries (Recommended)
We recommend using the official Svix libraries for verification, which handle all the complexity for you:Manual Verification
If you prefer to verify signatures manually without using the Svix library, follow the steps below.Signature Headers
Each webhook includes these headers for verification:| Header | Description |
|---|---|
svix-id | Unique message identifier |
svix-timestamp | Unix timestamp of when the message was sent |
svix-signature | The signature(s) to verify against |