Does this verify signatures for Stripe, GitHub, Shopify, and Slack?

Yes. Presets parse each provider's header format, build the correct signed payload, compute HMAC with Web Crypto, and compare with the received value so you can confirm webhook authenticity quickly.

Can I test replay-window tolerance checks for Stripe and Slack?

Yes. The verifier includes configurable timestamp tolerance (default 300 seconds) and reports pass/fail with calculated age so you can test stale webhook rejection behavior before production rollout.

Is my webhook secret sent to any server while verifying?

No. Your payload, secret, and signatures stay in your browser memory, and all cryptographic operations happen client-side using SubtleCrypto APIs with no external API calls.

Why can a signature fail even when the secret is correct?

If the body was parsed and re-serialized, even tiny formatting differences can alter bytes and produce a different digest. Use the untouched raw request body from your framework's low-level handler and verify against that exact input to avoid false mismatches.

Should I accept valid signatures that fail timestamp tolerance?

No. A stale timestamp with a valid digest can indicate replayed traffic. Production webhook handlers should require both digest match and tolerance pass, while also logging rejected attempts for incident analysis and alerting.

Can I use this tool for custom internal webhook schemes?

Yes. Use Generic HMAC mode to choose SHA-1, SHA-256, or SHA-512, switch hex/base64 output, and apply an optional prefix. That makes it useful for non-standard signatures while still running completely in-browser.

Webhook Signature Verifier

Paste raw body, signature, and secret to verify webhook authenticity for major providers with deterministic in-browser HMAC calculations and tolerance checks.

Updated June 2026

Files never leave your browser

Webhook signature verifier

Verify signatures in-browser. Your raw payload and signing secret never leave your browser.

Provider preset

Raw payload body

Signing secret

Received signature/header value

Timestamp tolerance (seconds)

How to use Webhook Signature Verifier

Webhook Signature Verifier helps you confirm webhook authenticity before processing events by recomputing HMAC signatures entirely in your browser. Choose provider presets for Stripe, GitHub, Shopify, Slack, or a generic HMAC mode, then paste the raw request body, secret, and received signature/header value. The tool parses provider-specific formats, builds the correct signed payload string, calculates Web Crypto digests, and reports VALID or INVALID with computed output and timestamp tolerance results for replay-window checks. Because all inputs stay local, teams can debug signature mismatches safely without sending payloads or secrets to external verification services.

Select the provider preset that matches your incoming webhook source.
Paste the exact raw request body, signing secret, and received signature or header value.
For Slack or custom replay checks, enter timestamp and tolerance seconds as needed.
Click Verify signature to compute HMAC and compare against the received value.
Review verdict, computed signature output, and tolerance pass/fail details before updating app logic.

Your data never leaves your device — 100% private processing.

Raw-body integrity is mandatory for accurate verification

Most webhook signature bugs come from body transformations before hashing. Providers sign the exact raw byte stream they sent, not a re-stringified JSON object. If middleware parses JSON and then your code serializes it again, key order, whitespace, escaping, or newline normalization can change and break signature checks even when the secret is correct. When validating failures, always compare using untouched raw body bytes from the HTTP request layer. This tool mirrors that expectation by requiring raw payload text input, making it easier to identify when your runtime pipeline mutates the body before verification.

Timestamp tolerance and replay defense strategy

Stripe and Slack include signed timestamps so receivers can reject old messages and reduce replay risk. Verification should therefore include both signature match and age checks against a narrow tolerance window, commonly 300 seconds. A matching digest alone is not sufficient if the event is stale or far in the future due to clock skew. During debugging, compare your server clock, provider timestamp headers, and tolerance settings together. This verifier reports signature match and tolerance outcomes separately, helping teams pinpoint whether failures are caused by secret mismatch, payload mutation, or replay-window policy configuration.

Worked examples

Stripe event verification

Inputs: Header t=1700000000,v1=<hex> + raw event JSON + whsec key

Result: Verdict shows VALID with tolerance pass when age is within window

GitHub signature mismatch debug

Inputs: X-Hub-Signature-256 with wrong secret

Result: INVALID verdict highlights computed hash differs from received value

Generic base64 prefix case

Inputs: Algorithm SHA-512, format base64, prefix sig:

Result: Computed signature includes prefix and compares correctly

Glossary

HMAC: Hash-based Message Authentication Code used to prove payload integrity and origin with a shared secret.
Signed payload: The exact string or byte sequence used as input to HMAC computation for verification.
Replay attack: Resending a previously valid webhook request to trigger duplicate or malicious processing.
Tolerance window: Maximum allowed age difference between webhook timestamp and receiver clock.
Constant-time comparison: A comparison technique that avoids early exits to reduce timing side-channel leakage.

Frequently Asked Questions

Free · No spam

Get weekly tool tips & updates

New tools, power-user tips, and productivity hacks — delivered free every Friday.

No spam, ever. Unsubscribe with one click.

Why use Webhook Signature Verifier?

Provider-aware parsing for Stripe, GitHub, Shopify, Slack, and generic HMAC signatures
Deterministic in-browser HMAC generation with selectable SHA-1, SHA-256, and SHA-512 options
Replay tolerance validation for timestamped webhook schemes like Stripe and Slack
Ready-made sample vectors that load instantly and verify as valid for quick confidence checks

Common use cases

Troubleshoot failing webhook verification when production code returns 400 invalid signature
Validate secret rotation by comparing old and new signing keys against sample payloads
Teach teammates how each provider builds signed payload strings and header formats
Confirm generic HMAC integrations that use custom prefixes and base64 signatures

Related Developer Tools

HMAC Generator

Generate HMAC signatures with SHA-1, SHA-256, SHA-384, or SHA-512 and a secret key. Uses the Web Crypto API. Free and private.

Webhook Tester

Create a unique webhook URL, inspect requests live, copy payloads as cURL, and return custom responses with delay. Bin data auto-expires after 24 hours.

OAuth Callback / Redirect URI Tester

Capture and inspect OAuth redirect_uri query and fragment parameters, decode JWT token claims, and test PKCE/state values entirely in your browser.

JSON Formatter & Validator

Format, validate, and minify JSON instantly. Includes syntax highlighting, error detection, and a collapsible tree view — free, private, in-browser.

Regex Tester

Test and debug regular expressions online. See live matches, capture groups, and replace output. Free, private, instant.

Base64 Encoder & Decoder

Encode text or files to Base64, or decode Base64 strings back to text. Fast, free, and runs entirely in your browser.

Explore all Developer Tools.