Webhook data is sent as JSON in the request's body. The full event details are included and can be used directly. Alternatively, the event is also available in the Stripe API. If security is a concern, or if it's important to confirm that Stripe sent the webhook, you should only use the ID sent in your webhook and should request the remaining details from the Stripe API directly. We also advise you to guard against replay-attacks by recording which events you receive, and never processing events twice.
Stripe: