This page is a skeleton. Detailed prose will land later; for now it sketches the concept and links out to the related reference pages.

Replay window for incoming webhooks (Stripe)

The platform automatically enforces a ±300 s tolerance window on the Stripe signature timestamp field for all incoming webhooks (StripeSignatureVerifier). No operator action is required.

Replay window for outgoing webhooks

When consuming platform deliveries, integrators that want replay protection should implement their own window using the X-{Brand}-Timestamp header (ISO 8601 UTC, Z suffix, e.g. 2026-05-29T12:00:00Z). Reject any delivery whose timestamp is older than your chosen threshold (300 s is conventional).