Stripe Webhook Signature Verification Failing with Traefik - Need Help Preserving Raw Request Body

[BasharSiddiqui]

I'm having an issue with Stripe webhook signature verification when using Dokploy with Traefik. The webhook processing works correctly, but signature verification fails because Traefik seems to be modifying the request body.
The Problem:

• Stripe webhooks require the exact raw request body for signature verification

• Traefik appears to be modifying the request body/headers

• Getting error: "No signatures found matching the expected signature for payload"

[Serhioromano]

Please post here is you happen to resolve that issue no matter how, even if you ditch Dokploy for that, I would like to know.

[JC-Coder]

I have this same issue
on my bare vps ( node + pm2 + nginx ) it works fine, but with dokploy and traefik it's not working.

[poltrendia]

Hey!
I don't know if it is related but I was facing a similar issue with Dokploy/Traefik and the stripe webhook handler. Worked on dev, not on prod, not tested outside Dokploy infra. The trick was switching the construction of the stripe event from the method .constructEvent() to the async method (wrapping the function async), snipped below.

Stripe.webhooks.constructEventAsync(rawBody, signature, webhookSecret);

Regardin the traefik issue if you already are handling the processing correctly, I can tell you that I tested while debugging adding another specific route with no middleware in the dynamic file for that specific app and it looks like it wasn't affecting the raw payload. I'll leave the snipped if it helps as well:

http:
  routers:
    stripe-webhook-router:
      rule: "Host(`staging.myapp.com`) && Path(`/api/v1/webhooks`)"
      entryPoints:
        - websecure
      service: stripe-webhook-service
      tls:
        certResolver: letsencrypt
  services:
    stripe-webhook-service:
      loadBalancer:
        servers:
          - url: http://internal-container-dns:3000
        passHostHeader: true

Hope you can fix it man, BR

[Ilia01]

A pure proxy usually should not need to change the webhook body for Stripe verification to work, so I would be careful about assuming Traefik is the mutating layer without isolating where the bytes actually diverge.

The failure mode I would check first is:

• request reaches your app through Dokploy/Traefik
• app/framework reads or normalizes the body before constructEvent(...)
• signature mismatch gets blamed on the proxy

A couple of concrete checks:

• verify against the exact raw bytes at the very first app entry point, before JSON parsing or any helper that consumes the stream
• keep the raw body as Buffer, not buf.toString() unless the SDK explicitly wants a string in that runtime
• compare the failing delivery through Dokploy with the same delivery sent directly to the app container if you can
• log whether the mismatch disappears when you bypass all application middleware except the webhook route

constructEventAsync() may help if the runtime is the issue, but it does not sound like the root cause here by itself.

I built HookLens for this exact debugging loop because these failures often get blamed on the wrong layer: capture the request before the app stack parses it, inspect the verification result, then replay the same delivery after changing middleware or proxy config: https://github.com/Ilia01/hooklens