🔐 Security Tool
Webhook Signature
Verifier
Verify that incoming webhooks are genuinely from your providers — not forged requests. Your secrets never leave the browser.
Stripe
GitHub
Shopify
Twilio
SendGrid
Custom HMAC
Select Provider
Algorithm & header auto-configured
Enter Values
How It Works
// STEP 01
Provider Sends Webhook
When an event occurs (e.g. payment), the provider sends an HTTP POST to your endpoint with the payload and a signature header.
// STEP 02
Signature is Computed
The provider hashes the raw payload using your shared secret via HMAC-SHA256 (or SHA1). The result is included in the request header.
// STEP 03
You Re-Compute & Compare
Your server does the same computation. If your result matches the header value, the request is authentic. This tool does exactly that — client-side.
// STEP 04
Accept or Reject
If signatures match → process the event. If they don't → reject the request. This prevents replay attacks and forged webhooks.
Provider Reference
Provider
Algorithm
Signature Header
Stripe
HMAC-SHA256
Stripe-Signature: t=...,v1=<hex>GitHub
HMAC-SHA256
X-Hub-Signature-256: sha256=<hex>Shopify
HMAC-SHA256
X-Shopify-Hmac-Sha256: <base64>Slack
HMAC-SHA256
X-Slack-Signature: v0=<hex>Zoom
HMAC-SHA256
x-zm-signature: v0=<hex>Paddle
HMAC-SHA256
Paddle-Signature: ts=...;h1=<hex>Twilio
HMAC-SHA1
X-Twilio-Signature: <base64>SendGrid
HMAC-SHA256
X-Twilio-Email-Event-Webhook-SignatureWooCommerce
HMAC-SHA256
X-WC-Webhook-Signature: <base64>HubSpot
HMAC-SHA256
X-HubSpot-Signature: <hex>Klaviyo
HMAC-SHA256
X-Klaviyo-Signature: <base64>Linear
HMAC-SHA256
Linear-Signature: <hex>Svix
HMAC-SHA256
svix-signature: v1,<base64>PagerDuty
HMAC-SHA256
X-PagerDuty-Signature: v1=<hex>PayPal
HMAC-SHA256
PAYPAL-TRANSMISSION-SIG: <base64>Adyen
HMAC-SHA256
additionalData.hmacSignature (in JSON body)iyzico
HMAC-SHA256
X-IYZ-SIGNATURE-V3: <hex>Craftgate
HMAC-SHA256
x-cg-signature-v1: <base64>Custom HMAC
HMAC-SHA256
Any header — paste value directlyFAQ
Is my webhook secret safe? ▼
Yes. Everything runs in your browser using the Web Crypto API. No data is sent to any server — not the payload, not the secret, nothing. You can verify this by opening DevTools → Network tab while using the tool.
Why does Stripe verification include a timestamp? ▼
Stripe signs
timestamp.payload (not just the payload) to prevent replay attacks. If you send the same webhook again hours later, the timestamp won't match your tolerance window — even if the payload is identical. Stripe's default tolerance is 300 seconds (5 minutes).
Why is exact raw body important? ▼
HMAC is computed over the exact bytes of the request body. If you pretty-print the JSON, add/remove whitespace, or re-encode it in any way, the signature won't match even if the data is semantically identical. Always use the raw body before any parsing.
What is HMAC-SHA256? ▼
HMAC (Hash-based Message Authentication Code) is a way to verify both data integrity and authenticity. It uses a cryptographic hash function (SHA-256) combined with a shared secret key. Only parties who know the secret can produce or verify the correct HMAC.
Shopify uses Base64, GitHub uses hex — why? ▼
Different providers just chose different encodings for the binary HMAC output. The underlying computation is the same HMAC-SHA256. GitHub prefixes with
sha256= and uses hex. Shopify uses raw Base64. This tool handles the encoding differences automatically.