</> DevKit
πŸ”—

Webhook Signature Verifier

Sign and verify webhook HMAC signatures

πŸ”— App Screenshot
Download on the App Store

What is Webhook Signature Verifier?

Webhook Signature Verifier computes and validates HMAC signatures for webhook payloads. Webhooks are HTTP callbacks that services use to notify your application about events. To prevent spoofing and tampering, webhook providers include a cryptographic signature in the request headers, computed using a shared secret. This tool lets you verify those signatures or generate them for testing.

Every major platform uses webhook signatures: Stripe signs with HMAC-SHA256 using a timestamp prefix, GitHub uses HMAC-SHA256 with a sha256= prefix, Slack uses HMAC-SHA256 with a versioned signing scheme, and Shopify uses HMAC-SHA256 encoded as Base64. DevKit includes presets for these common formats and supports custom configurations for any HMAC-based scheme.

How to Use Webhook Signature Verifier

Paste the raw request body into the payload editor and enter your signing secret. Select the HMAC algorithm and output encoding that match your webhook provider. The tool computes the signature and displays it alongside the expected format.

To verify a received webhook, paste the signature from the request headers. The tool compares it against the computed signature and reports whether they match. For time-based schemes like Stripe, enter the timestamp value to include it in the signature computation.

Use the provider presets to automatically configure the algorithm, encoding, and header format for popular services.

Common Use Cases

  • Webhook integration development: Verify that your webhook handler correctly validates signatures before processing events from Stripe, GitHub, or other services.
  • Debugging signature failures: When webhook signature verification fails in production, paste the raw body and secret to identify whether the issue is body parsing, encoding, or secret mismatch.
  • Testing webhook handlers: Generate valid signatures for test payloads to verify your handler’s signature validation logic during development.
  • Security auditing: Confirm that webhook endpoints validate signatures and reject unsigned or tampered payloads.
  • Provider migration: Compare signature computation across different providers when migrating webhook integrations between platforms.

Features

  • Generate HMAC signatures for webhook payloads
  • Verify signatures against expected values
  • Support for SHA-1, SHA-256, SHA-384, SHA-512
  • Configurable signature encoding (hex, Base64)
  • Preset formats for Stripe, GitHub, Slack, Shopify
  • Timestamp-based signature schemes

Related Tools

πŸ”‘

JWT Decoder & Verifier

Decode and verify JWT tokens

πŸ”

Secret Scanner & Redactor

Scan and redact secrets in logs

πŸ“„

Base64 Encoder / Decoder

Encode and decode Base64 text

Try Webhook Signature Verifier on your iPhone or iPad

Download on the App Store