🔐 Free · private · in-browser
Free webhook signature verifier — GitHub & Stripe HMAC
Verify HMAC-SHA256 webhook signatures without shipping code.
Expected signature
Confirm a webhook really came from the provider
Anyone who learns your endpoint URL can POST to it. Signature verification is what proves a request genuinely came from GitHub, Stripe, Shopify, or Slack — and was not modified in transit. The provider signs the raw body with a shared secret; you recompute that signature and compare. This tool runs the comparison in your browser so you can debug a mismatch without deploying code.
Getting a match
The single most common cause of a failed check is signing a re-serialized body instead of theexact raw bytes received. Frameworks that parse JSON before you read the body will change whitespace and key order, breaking the HMAC. Always verify against the raw payload — the same string you would paste here. For Stripe, the signed value istimestamp + "." + rawBody; this tool builds that for you from thet= value in the header.
Capture the exact raw body first with the Webhook Inspector.
Frequently asked questions
How does webhook signature verification work?
The sender computes an HMAC of the raw request body using a shared secret and puts the result in a header. You recompute the same HMAC with your copy of the secret and compare. If they match, the payload is authentic and untampered. This tool does that comparison in your browser.
Which providers are supported?
GitHub (X-Hub-Signature-256, HMAC-SHA256), Stripe (Stripe-Signature with the timestamped scheme), and a generic raw HMAC-SHA256 hex/base64 mode that covers Shopify, Slack, and most others.
Is my signing secret sent anywhere?
No. The HMAC is computed locally with the Web Crypto API. Your secret and payload never leave the page.