Are we asymmetric yet?

SaaS webhook signing schemes, ranked by verifiability without a shared secret.

11 / 40 asymmetric

Asymmetric — verifying webhooks requires no secret key material on the consumer.

Shared secret — verifying requires key material on the consumer (HMAC or static token); anyone with it can forge webhooks.

Provider	Scheme	Proof
Apple App Store	JWS / ES256	docs ↗
AWS SNS	RSA-SHA256 (X.509 cert)	docs ↗
Discord	Ed25519	docs ↗
Google Play RTDN	OIDC JWT / RS256	docs ↗
Jira	JWT RS256 (lifecycle) / HS256 (Connect)	docs ↗
Microsoft Graph	JWS RS256 (validation token) + RSA-OAEP encrypted payload	docs ↗
PayPal	RSA-SHA256 (rotating X.509 certs)	docs ↗
Plaid	JWT / ES256	docs ↗
SendGrid	ECDSA P-256	docs ↗
Svix	Ed25519 (opt-in) / HMAC-SHA256 (default)	docs ↗
Twilio	ECDSA P-256 (opt-in) / HMAC-SHA1 (default)	docs ↗
Adyen	HMAC-SHA256	docs ↗
Auth0	Bearer token	docs ↗
Calendly	HMAC-SHA256	docs ↗
Clerk	HMAC-SHA256 (Svix)	docs ↗
Cloudflare	Static shared secret	docs ↗
Coinbase Commerce	HMAC-SHA256	docs ↗
DocuSign	HMAC-SHA256	docs ↗
GitHub	HMAC-SHA256	docs ↗
GitLab	HMAC-SHA256 / X-Gitlab-Token	docs ↗
HubSpot	HMAC-SHA256	docs ↗
Intercom	HMAC-SHA1	docs ↗
Linear	HMAC-SHA256	docs ↗
Mailgun	HMAC-SHA256	docs ↗
Mux	HMAC-SHA256	docs ↗
Netlify	JWS HS256	docs ↗
Notion	HMAC-SHA256	docs ↗
Okta	Static header token	docs ↗
Paddle	HMAC-SHA256	docs ↗
Postmark	HTTP Basic Auth	docs ↗
Replicate	HMAC-SHA256 (Svix)	docs ↗
Resend	HMAC-SHA256 (Svix)	docs ↗
Sentry	HMAC-SHA256	docs ↗
Shopify	HMAC-SHA256	docs ↗
Slack	HMAC-SHA256	docs ↗
Square	HMAC-SHA256	docs ↗
Stripe	HMAC-SHA256	docs ↗
Vercel	HMAC-SHA1	docs ↗
Zendesk	HMAC-SHA256	docs ↗
Zoom	HMAC-SHA256	docs ↗

Spotted a missing or wrong entry?

This list is open source. PRs and issues welcome.