# Webhooks
Stripe sends webhook events to your application when things happen in your
account — charges succeed, subscriptions renew, disputes are opened, etc.
This guide covers receiving, verifying, and handling those events.
## Signature Verification
Every webhook request includes a `Stripe-Signature` header. Always verify it
before trusting the payload:
```elixir
case Stripe.Webhook.construct_event(payload, sig_header, "whsec_...") do
{:ok, event} -> handle_event(event)
{:error, error} -> send_resp(conn, 400, error.message)
end
```
`construct_event/4` verifies the HMAC-SHA256 signature using constant-time
comparison and checks the timestamp is within the tolerance window (default:
300 seconds).
## WebhookPlug
`Stripe.WebhookPlug` handles the full lifecycle — reading the raw body,
verifying the signature, deserializing the event, and assigning it to
`conn.assigns.stripe_event`.
### Setup
First, configure your webhook secret (see [Getting Started](getting-started.md)):
```elixir
# config/runtime.exs
config :tiger_stripe,
webhook_secret: System.fetch_env!("STRIPE_WEBHOOK_SECRET")
```
Then add the plug to your endpoint **before** `Plug.Parsers` (which consumes
the raw body):
```elixir
# lib/my_app_web/endpoint.ex
plug Stripe.WebhookPlug,
path: "/webhook/stripe"
# This must come AFTER WebhookPlug
plug Plug.Parsers,
parsers: [:urlencoded, :multipart, :json],
json_decoder: JSON
```
The secret is read automatically from `config :tiger_stripe, :webhook_secret`.
### Per-Plug Secret Override
If you have multiple webhook endpoints with different secrets, override
per-plug:
```elixir
plug Stripe.WebhookPlug,
secret: "whsec_other",
path: "/webhook/stripe/connect"
```
Or use an MFA tuple for runtime resolution:
```elixir
plug Stripe.WebhookPlug,
secret: {MyApp.Config, :connect_webhook_secret, []},
path: "/webhook/stripe/connect"
```
### Options
| Option | Type | Default | Description |
|--------|------|---------|-------------|
| `:secret` | `String.t()` or `{mod, fun, args}` | from config | Webhook signing secret |
| `:path` | `String.t()` | required | Request path to match |
| `:tolerance` | `integer()` | `300` | Maximum event age in seconds |
### Handling Events
On successful verification, the event is available at
`conn.assigns.stripe_event`. Route to a controller or plug pipeline to
handle it:
```elixir
# lib/my_app_web/router.ex
scope "/webhook" do
post "/stripe", MyAppWeb.StripeWebhookController, :handle
end
```
```elixir
# lib/my_app_web/controllers/stripe_webhook_controller.ex
defmodule MyAppWeb.StripeWebhookController do
use MyAppWeb, :controller
def handle(conn, _params) do
event = conn.assigns.stripe_event
case event.type do
"checkout.session.completed" ->
fulfill_order(event.data.object)
"invoice.payment_failed" ->
notify_customer(event.data.object)
"customer.subscription.deleted" ->
cancel_subscription(event.data.object)
_ ->
:ok
end
send_resp(conn, 200, "ok")
end
end
```
### Verification Failures
If the signature is invalid or the timestamp is stale, `WebhookPlug` responds
with `400 Bad Request` and halts the connection. Your downstream plugs and
controllers are never invoked.
## Typed Event Modules
V2 events and thin V1 events have dedicated modules with typed data structs:
```elixir
alias Stripe.Events.V1BillingMeterErrorReportTriggeredEvent
# Each event module exposes the Stripe event type string
V1BillingMeterErrorReportTriggeredEvent.lookup_type()
#=> "billing.meter.error_report_triggered"
# Events have typed nested data structs
%V1BillingMeterErrorReportTriggeredEvent{
data: %V1BillingMeterErrorReportTriggeredEvent.Data{}
}
# V2 events support fetching related objects
{:ok, meter} = V2BillingMeterNoMeterFoundEvent.fetch_related_object(event, client)
```
## Tips
- **Always return 200 quickly.** Process events asynchronously (e.g. via
`Task.Supervisor` or an Oban job) to avoid Stripe's 20-second timeout.
- **Handle duplicates.** Stripe may send the same event more than once. Use
`event.id` as an idempotency key.
- **Use the webhook signing secret from the Stripe Dashboard**, not your API
key. Each webhook endpoint has its own secret.
