Security: Implement Webhook Event Tamper-Proofing with Payload Signatures

[Smartdevs17]

Context

Webhook payloads travel over the internet and could be intercepted or modified in transit, leading to merchants acting on falsified data.

Current Limitation/Problem

Webhook payloads have basic signature verification but lack comprehensive tamper-proofing including payload body hashing, signed headers, and timestamp validation.

Expected Outcome

Tamper-proof webhook delivery with HMAC-SHA256 payload signatures, timestamp binding, and optional payload encryption. Merchants can verify authenticity without contacting the server.

Acceptance Criteria

• Sign webhook payload with HMAC-SHA256 using merchant-specific secret
• Include signature in header: X-AgenticPay-Signature
• Include timestamp header for replay protection (<5min tolerance)
• Support multiple signature versions for key rotation
• Include signature in webhook body as webhook.signature field
• Optional payload encryption with merchant public key
• Merchant verification guide and code examples in docs
• SDK method: verifyWebhookSignature(payload, signature, secret)
• Automatic secret rotation (90-day expiration)

Technical Scope

• backend/src/services/webhooks/signer.ts - payload signing
• packages/sdk/src/webhooks/verifier.ts - signature verification
• backend/src/services/webhooks/encryption.ts - optional payload encryption
• Prisma: WebhookSecret model with rotation tracking
• Frontend: webhook secret management UI
• Edge cases: payload too large (streaming hash), key rotation period, clock skew

[michaelvic123]

@michaelvic123 has applied to work on this issue as part of the Stellar Wave Program's 6th wave.

please assign this issue to me

ℹ️ Repo Maintainers: To accept this application, review their application or assign @michaelvic123 to this issue.

[BigDella]

@BigDella has applied to work on this issue as part of the Stellar Wave Program's 6th wave.

i will love to work on this issue

ℹ️ Repo Maintainers: To accept this application, review their application or assign @BigDella to this issue.

[drips-wave]

Congratulations, @BigDella! 🎉 Your application was accepted by the repo's maintainers, and the issue is due on June 30, 2026.

🧑‍💻 @BigDella: Please resolve the issue such that the repo's maintainers have enough time to review your contribution before the due date. You'll earn Points for completing the issue on-time, which will make you eligible for a share of the Stellar Wave Program's reward pool.

Warning

When opening a PR, please link it to this issue to ensure it gets tracked accurately. Points are awarded when this issue is marked as completed by the maintainer.

🤠 Repo maintainers: Please keep an eye on the contributor's progress and review their work before the due date. You can manage this issue, including adjusting its complexity and points, here.

🌊 Happy Wave 🌊

[drips-wave]

This issue has been completed by @BigDella as part of the Stellar Wave Program's 6th Wave 🥳

😎 @BigDella: You earned 200 Points for completing this issue! After the current Wave ends, you'll be eligible for a percentage of the Wave's reward pool based on the percentage of total points you've earned. Learn more here. You can also Leave a review to share your experience working on this issue.

🧑‍💻 Repo maintainers: How'd the contributor do? Leave a review to share your experience working with them.