Generate Webhook Handlers with Signature Verification

Webhook handlers always need the same three things: signature verification, idempotency, and event routing. Claude can write all three correctly — and signature verification is the part developers most often skip.

"Write a webhook handler for Stripe events in Laravel:
- Verify the Stripe-Signature header using the webhook secret
- Store raw payloads in a webhooks table with processed_at
- Route each event type to a dedicated handler class
- Skip duplicate events using the Stripe event ID
Add Pest tests for a valid signature, an invalid signature, and a duplicate event."

Skipping signature verification is a security risk that's surprisingly easy to make when you're in a hurry. Asking Claude to write the verification upfront bakes it in from the start rather than bolting it on later.

$signature = $request->header('Stripe-Signature');
try {
    $event = Webhook::constructEvent($payload, $signature, config('services.stripe.webhook_secret'));
} catch (SignatureVerificationException $e) {
    return response()->json(['error' => 'Invalid signature'], 400);
}

The event routing pattern also prevents one bad event type from crashing the others — each event gets its own handler class and can fail independently. Claude wires up the dispatch table and generates stub handlers for every event type you list.

Works just as well for GitHub, Shopify, Paddle, or any webhook provider — just swap the signature algorithm and header name in your prompt.

Webhook security isn't optional — let Claude write the verification boilerplate so you're never tempted to skip it.