search

Found

info About

A browser-based local webhook signature verifier tool. No data sent to server.

📘 How to Use

  1. Provide the Secret Key and the full request payload.
  2. Paste the signature received in the webhook header.
  3. Select the correct HMAC hash algorithm (e.g., SHA-256).
  4. Instantly view the verification status and the calculated signature.

Local Webhook Signature Verifier

security

Fully Client-Side Processing

This tool does not communicate with the server. All entered secret keys and payloads are processed locally in your browser and are never sent externally.

data_object Configuration

verified_user Verification Result

Waiting...
Copied!
Recv:
---
Calc:
---

* For comparison, prefixes like sha256= or v1= are excluded from the received signature.

grid_view Related

  • No related tools configured.
Article

Webhook Signature Verifier | Online Tool for HMAC-SHA256 Verification & Debugging

An online developer tool for verifying and debugging HMAC-based webhook signatures (SHA-256, SHA-512, SHA-1). Quickly validate if your calculated signature matches the one sent by a provider (like Stripe, GitHub, or Shopify) to ensure webhook integrity and security.

💡 Tool Overview

This simulator helps developers troubleshoot and confirm their webhook signature validation logic without writing any code. It's designed to identify common issues like mismatched secrets, payload formatting errors, or incorrect algorithm choices.

  • Real-time Verification: Signatures are calculated and compared instantly as you type, providing immediate feedback.
  • Multiple Algorithms: Supports the most common HMAC algorithms used in webhooks: SHA-256, SHA-512, and SHA-1.
  • Detailed Mismatch Analysis: If signatures don't match, the tool provides a character-by-character visual comparison, highlighting the exact point of difference for easy debugging.
  • Secure & Private: All data, including your secret key and payload, is processed exclusively within your browser. No information is ever sent to our servers.

🧐 Frequently Asked Questions

Q. What format should I use for the 'Received Signature' field?

A. You can paste the entire signature value directly from the HTTP header (e.g., X-Hub-Signature-256). The tool will automatically extract the hexadecimal hash from common formats like sha256=... or v1=....

Q. Why is my calculated signature not matching the received one?

A. A mismatch is almost always caused by one of these issues: 1. Incorrect Secret: Ensure you are using the exact, correct webhook signing secret from your provider's dashboard. 2. Payload Discrepancy: The request body (payload) used for calculation must be the raw, unmodified string that the provider used. Even a single extra space, newline, or different character encoding will result in a different signature. 3. Wrong Algorithm: Double-check that you have selected the same hash algorithm (e.g., SHA-256) that the webhook provider uses.

📚 The Ins and Outs of Webhook Signatures

Webhook signature verification is a critical security measure to confirm that a received webhook request is both authentic (it came from the expected source) and unmodified. Without it, a malicious actor could send a forged request to your endpoint, potentially causing data corruption or triggering unauthorized actions.

The process uses a Hash-based Message Authentication Code (HMAC). Unlike a simple hash (like SHA-256) of the payload, an HMAC incorporates a secret key into the hashing process. The sender (e.g., Stripe) calculates a signature using the request payload and your private secret key. When your server receives the request, it performs the exact same calculation with the same secret key. If the calculated signature matches the one in the request header, you can be confident the request is legitimate, as only you and the sender know the secret key.