---
title: Webhook signing secrets for payload verification
description: Secure your webhook integrations with HMAC-SHA256 signing secrets. Every delivery includes a signature header so your endpoint can verify the payload came from TheirStack.
url: https://theirstack.com/en/product-updates/2026-03-27-webhook-signing-secret
---

Your [webhooks](/en/docs/webhooks) can now include a signing secret so every delivery is cryptographically signed.

Until now, there was no built-in way to confirm that an incoming payload actually originated from TheirStack—your endpoint had to rely on source IP or URL alone.

Set a signing secret (minimum 16 characters) and every delivery will carry an `X-TheirStack-Signature-256` header containing the HMAC-SHA256 signature of the raw payload. Recompute the HMAC on your side and compare to confirm authenticity and integrity.

In practice:

-   **Payload authenticity** — Know for certain each delivery was sent by TheirStack, not a third party.
-   **Tamper detection** — Any modification to the payload in transit will cause the signature check to fail.
-   **One-click setup** — Generate a secret directly in the webhook form, or bring your own. Also available via the [webhooks API](/en/docs/api-reference/webhooks/post_webhooks_v0).

See the [verification guide](/en/docs/webhooks/verify-webhook-signatures) for code examples and step-by-step instructions.