How to Fix the 'No stripe-signature header value was provided' Error in a Strapi Stripe Webhook

When you see an error like

  No stripe‑signature header value was provided

this indicates that while Stripe CLI is forwarding the event—including the stripe‑signature header—the way your webhook endpoint is handling/parsing the request is causing that header (or the raw body) to be unavailable for verification.

Stripe’s webhook signature verification requires the raw request payload (as a Buffer or string) exactly as it was received before any body parsing occurs. In your code, you’re using:

  const body = JSON.stringify(ctx.request.body);

This means you’re passing along a JSON‑stringified version of the already‑parsed body rather than the raw payload. In addition, Strapi’s default body parser middleware may interfere with the raw request data, which can lead to the signature header being missing or the payload being modified.

How to Fix

There are two key changes:

1. Disable or Bypass the Default Body Parser for your webhook endpoint so you can access the raw request body.
2. Use the Raw Body for Signature Verification instead of the parsed body.

Option 1: Use the Raw Body from Koa

If your Strapi/Koa setup exposes the raw content (sometimes available as ctx.request.rawBody), modify your controller as follows:

JAVASCRIPTCopied
async handleWebhook(ctx) {
  // Use the raw body (it must be unprocessed)
  const rawBody = ctx.request.rawBody;
  const endpointSecret = process.env.STRIPE_WEBHOOK_SECRET;
  const signature = ctx.request.headers['stripe-signature'];

  console.log(rawBody);
  console.log(signature);
  console.log(endpointSecret);

  try {
    // Use the raw body for constructing the event
    const event = stripe.webhooks.constructEvent(rawBody, signature, endpointSecret);

    // Process the event
    if (event.type === 'payment_intent.succeeded') {
      const paymentIntent = event.data.object;
      console.log('Pago exitoso:', paymentIntent);
    }

    // Respond with 200 OK
    ctx.status = 200;
    ctx.body = 'Webhook recibido correctamente';
  } catch (err) {
    // Handle signature verification error
    console.error('Error al procesar el webhook:', err.message);
    ctx.status = 400;
    ctx.body = `Error del webhook: ${err.message}`;
  }
}

Note: For this to work, you must configure Strapi (or Koa) so that the raw body is available on the request. This usually involves disabling the default body parser for this route.

Option 2: Disable Body Parsing for Your Webhook Route

You can disable the body parser for your webhook route so that the raw body can be retrieved. In Strapi, you would typically adjust the middleware configuration for that route. For example, if using a custom middleware or modifying the global settings, you can disable body parsing on the endpoint. Check the Strapi documentation for details on configuring the parser middleware per route. An example route configuration might look like:

JAVASCRIPTCopied
module.exports = {
  routes: [
    // ...other routes...
    {
      method: 'POST',
      path: '/orders/stripe-webhook',
      handler: 'order.handleWebhook',
      config: {
        auth: false,
        // Disable the body parser for this route (syntax may vary based on your Strapi version)
        body: {
          enabled: false,
        },
      },
    },
  ],
};

This will ensure that the request isn’t parsed before reaching your controller, allowing you to access the unmodified body (e.g., via ctx.request.rawBody).

Summary

• Stripe’s webhook signature requires the raw payload.
• Strapi’s (Koa) body parser by default will process the request body, which can prevent you from getting the original payload and cause the signature header to appear missing.
• Disable body parsing for the webhook route or use the raw body (if available) to pass to stripe.webhooks.constructEvent.

By making these adjustments, you should be able to correctly retrieve the stripe‑signature header and the raw body, allowing Stripe’s signature verification to work as expected.