Forum Academy Marketplace Showcase Pricing Features

How to verify Stripe webhook signatures?

Hi all - I am using the Stripe API for my app. I have connected to Stripe using the API connector directly (which works great) as opposed to using the Bubble Stripe plugin. In order to listen to Stripe events (e.g. a new subscription to my app is confirmed), I have set up webhooks in Bubble, which again works great.

Now, I want to make sure that the events sent to my webhooks are indeed coming from Stripe (and not another potentially rogue service that is sending data to make me think they are Stripe so I make changes in my database).
In order to verify that I am really listening to events sent by Stripe, Stripe can sign their webhook events (see here). Does anyone know how I can setup my webhooks in Bubble to verify the Stripe signature?

I read through this forum post already which addresses this question but as far as I understand, no clear answers came out of the discussion and the topic is now closed.
Thank you!

that’s correct, there is not real way to check, you could (without taking in count the performance impact) fetch the event from stripe api, so the only information that u use from the webhook that come from Stripe is the event id, and after you fetch from stripe those information with your api key.

I see. This is not great from a performance perspective, but I guess we have no choice. Thank you @matt_moo for the swift response! It’s very helpful

It’s crazy to me that this hasn’t been implemented yet, given the number of people using Stripe with bubble… Heck, the official documentation doesn’t even mention securing webhooks at all…

Digging through older threads, it seems the one limiting factor is simply having access to the raw request body. @eve is there any way that the team can either:
a) Provide access to an API request’s entire body (perhaps as a “stringified” object) from within an API workflow
b) Update the stripe plugin to verify signature requests (if possible, since I’m not sure if bubble-built plugins have the same limitations)

For reference, this is the verification process, which can be done using the stripe library as long as we have the body in object form:

https://stripe.com/docs/webhooks/signatures