An HTTP status code in the 400-499 or 500-599 range comes from your server, and indicates your system received the request but was unable to process it. Try the following:
In the Dashboard, look at the Response from your server for additional information: There may not be any additional information in the response; it depends on how your server is configured and how your code is designed to respond to errors
Check your server logs for errors or warnings: These errors should point you to the source of the error response, which might be your webhook handling code or a configuration issue on your server
Confirm the Event received has an API version your code is able to handle: API versions define the structure of the object contained in an Event; an API version mismatch between an incoming Event and your processing code may result in unexpected errors
Some common errors that cause 4xx and 5xx status codes and their solutions are detailed below.
This or a similar error (the wording may vary from one library to another) means the webhook signature verification process failed. This error is usually caused by one of the following:
The wrong webhook signing secret (whsec_) was used during the signature verification process
Make sure you're using the webhook signing secret which matches the Webhook Endpoint delivering the Event, which you can find in the Dashboard after selecting a specific Webhook Endpoint
If you're using Stripe CLI it will generate and display a webhook signing secret for you to use when you run the stripe listen command
The body of the request was modified before webhook signature verification took place
The webhook signature verification process requires the raw, unmodified body of the incoming request from Stripe in order to work
If your code is parsing, formatting, or otherwise modifying the body of the request before signature verification you'll see an error like this one
Adjust or remove code, including middleware, which may be modifying the raw body of the incoming request and try again
Note: Node.js middleware often modifies the body of incoming requests; try to extract the raw body before any other middleware runs
This or a similar error (the wording may vary from one library to another) means the Event received is too old to successfully verify. Webhook signatures have a time component, and must be verified shortly after being received.
Try the following:
Confirm the time and date on your server are set correctly
Make sure you're verifying incoming webhook signatures as soon as Events are received, without delay
These errors are usually caused by code throwing an exception, a parsing error, or some kind of breaking change.
Most of the time this class of error is caused by some kind of change on the server or infrastructure responsible for accepting and processing webhooks. New or changed code, a server update, or a configuration change can introduce a new failure mode or incompatibility.
When you encounter this error check your server's error logs for more information. The location of error logs varies from server to server based on configuration, operating system, web server, the programming languages being used, and other factors, so we can't provide specific instructions. We recommend you check both the logs and the error log configuration for any of the following that you may be using to receive webhooks:
Your programming language (Ruby, Python, PHP, Java, Node.js, Go, .NET, etc.)
Your web server (Nginx, Apache, Microsoft IIS, etc.)
Your cloud or server provider (Amazon Web Services, Google Cloud Computing, Cloudflare, etc.)