Verification of Stripe webhook signatures

Version on this page:
LTS Haskell 22.28:
Stackage Nightly 2023-12-26:
Latest on Hackage:

See all snapshots stripe-signature appears in

MIT licensed by Chris Martin
Maintained by Chris Martin, Julie Moronuki
This version can be pinned in stack with:stripe-signature-,1300

Module documentation for

When Stripe sends an event to your webhook, it includes an HTTP header named Stripe-Signature. You should use this to verify the authenticity of the request to ensure that you are not acting upon forged events originating from some source other than Stripe.


Changelog - 2023-02-01

Support GHC 9.4 - 2022-01-09

Support GHC 9.2 - 2022-01-08

Drop cryptonite and memory dependencies; HMAC is now done using the cryptohash-sha256 package instead

Add some tests for the isSigValid function - 2021-06-05

Support GHC 9.0, cryptonite 0.29, bytestring 0.11, memory 0.16

Switch base16-bytestring version from 0.1 to 1.0 - 2021-03-08

Support cryptonite 0.28 - 2020-09-02

Support cryptonite 0.27 - 2020-05-20

Support GHC 8.10 - 2020-04-18

Tightened dependency version bounds - 2019-05-18

Replace hex-text package dependency with slightly smaller base16-bytestring dependency - 2018-12-20

Initial release