Stripe Webhook Auth Policy

The Stripe Webhook policy secures your incoming webhooks by validating that the request was sent by Stripe.


The configuration shows how to configure the policy in the 'policies.json' document.

{ "name": "my-stripe-webhook-verification-inbound-policy", "policyType": "stripe-webhook-verification-inbound", "handler": { "export": "StripeWebhookVerificationInboundPolicy", "module": "$import(@zuplo/runtime)", "options": { "tolerance": 300 } } }

Policy Configuration

  • name <string> - The name of your policy instance. This is used as a reference in your routes.
  • policyType <string> - The identifier of the policy. This is used by the Zuplo UI. Value should be stripe-webhook-verification-inbound.
  • handler.export <string> - The name of the exported type. Value should be StripeWebhookVerificationInboundPolicy.
  • handler.module <string> - The module containing the policy. Value should be $import(@zuplo/runtime).
  • handler.options <object> - The options for this policy. See Policy Options below.

Policy Options

The options for this policy are specified below. All properties are optional unless specifically marked as required.

  • signingSecret <string> (Required) -
    The signing secret for the webhook.
  • tolerance <number> -
    The allowed clock skew in seconds between the time the webhook signature was crated and the current time.
    Defaults to 300.

Using the Policy

Read more about how policies work

Request Size Limit