What should I check for woocommerce stripe webhook signature mismatch?

Confirm the exact Stripe account, endpoint URL, mode and signing secret currently configured in WooCommerce. Check whether staging/live settings, multiple plugins or multiple Stripe accounts are sharing webhook destinations. Review recent updates, environment moves, and custom checkout or webhook code. Check Stripe delivery response codes and WooCommerce order notes for the same event timestamps. Run the free scan to surface whether payment records and WooCommerce order state already diverged.

Guide

WooCommerce Stripe webhook signature mismatch

What to check when WooCommerce and Stripe report a webhook signature mismatch, failed webhook validation or payment/order drift.

Request Payment Rescue Review Review webhook security

Problem

Webhook signature mismatch errors usually mean WooCommerce rejected a Stripe event because the signing secret, endpoint URL, raw-body handling or live/test context did not match what the plugin expected. That can leave Stripe payment records and WooCommerce order state drifting apart, and it can also signal that webhook trust boundaries need review.

Symptoms

WooCommerce or gateway logs mention signature mismatch, invalid signature or failed webhook validation.
Stripe shows event delivery attempts, but WooCommerce does not create the expected paid or processing order note.
The issue starts after a plugin update, staging/live move, endpoint edit, secret rotation or account change.
Multiple Stripe endpoints, accounts or plugins appear to be sending events to the same store.

Common causes

The webhook signing secret in WooCommerce does not match the active Stripe endpoint secret.
Multiple Stripe accounts or environments are pointing at the same store with conflicting secrets.
A plugin update, environment change, or copied configuration left old webhook values in place.
A proxy, security layer, serverless function or custom code changed request body handling enough to break signature verification.
The endpoint accepts events from the wrong environment or does not fail closed consistently on invalid signatures.

What to check

Confirm the exact Stripe account, endpoint URL, mode and signing secret currently configured in WooCommerce.
Check whether staging/live settings, multiple plugins or multiple Stripe accounts are sharing webhook destinations.
Review recent updates, environment moves, and custom checkout or webhook code.
Check Stripe delivery response codes and WooCommerce order notes for the same event timestamps.
Run the free scan to surface whether payment records and WooCommerce order state already diverged.

Evidence to collect

Stripe webhook endpoint URL, mode, recent delivery attempts, response codes and event IDs.
WooCommerce gateway logs, order notes and plugin settings showing the active signing secret context.
Recent plugin, hosting, proxy, cache, security or custom webhook code changes.
Example order/payment IDs where Stripe and WooCommerce no longer tell the same story.

What not to do

Do not paste webhook signing secrets into email or support tickets.
Do not disable signature verification to make orders process.
Do not replay real production events or edit customer orders until evidence is matched.
Do not treat a signature mismatch as only an operational issue if public webhook exposure or fail-open behaviour is possible.

Next steps

Use the free scan if you need to see whether payment/order evidence has already drifted.
Request Payment Rescue Review when a specific order or customer-support decision is blocked.
Request Stripe Webhook Security Review when you need approved endpoint exposure, invalid-signature rejection and webhook boundary evidence.

Quick answer

What does this usually mean?

What should be checked first?

Confirm the exact Stripe account, endpoint URL, mode and signing secret currently configured in WooCommerce.

Need help checking this on a live store?

If a live WooCommerce order is stuck, start with payment evidence. If the concern is whether the webhook boundary rejects invalid callers and exposes only the right routes, request Stripe Webhook Security Review.

Request Payment Rescue Review Review webhook security