Standard Webhooks

Standard Webhooks is an open spec (standardwebhooks.com) that defines a consistent header format for webhook signing and replay protection across providers. The goal: stop every provider from inventing their own signing scheme. Several modern providers — Clerk, Resend, and others — already follow it.

What the spec standardizes

Three things, expressed as a small set of HTTP headers:

• webhook-id — a unique identifier per webhook delivery, used for idempotency on the receiving side
• webhook-timestamp — Unix timestamp when the webhook was sent, used for replay-attack protection
• webhook-signature — v1,base64(hmac_sha256(secret, "{webhook-id}.{webhook-timestamp}.{raw-body}")), used for sender verification

The signature can contain multiple space-separated values during secret rotation, so receivers accept any matching signature. This is how rotation overlap works without dropping events.

Why this matters

Without a standard, every provider invents their own signing scheme — Stripe's t=...,v1=..., GitHub's X-Hub-Signature-256, Shopify's base64 HMAC, Slack's v0: prefix, Twilio's URL+sorted-form-fields HMAC-SHA1. Receivers write a different verification function for each one.

Standard Webhooks lets receivers write one verification function and use it across every Standard-Webhooks-compatible provider. As more providers adopt the spec, the integration burden shrinks.

Hooksbase and Standard Webhooks

Hooksbase signs every outbound dispatch with Standard Webhooks-compatible headers. Your destination handler can use any Standard Webhooks library to verify, and the same code works whether the source was a verified provider or a custom producer.

Two of the five Hooksbase pre-verified providers (Clerk, Resend) use Standard Webhooks natively for their inbound signing. Polar (covered by a guide) also follows the spec.

For the broader signing context: HMAC.