Webhook Signature Verify

Recreate the exact bytes your provider signed and compare them locally

Safety note: Use the raw request body from your framework before JSON parsing changes it. This helper keeps request bodies and secrets in your browser.

Webhook verificationCompare the exact signing string, digest, and provided signature in one place

Provider:

Raw request body

Signing string

Shared secret

Provided signature

Algorithm

Signature encoding

Current epoch (optional)

Why Raw Body Matters

Providers sign the exact request bytes they send. If your framework parses JSON, rewrites whitespace, or changes newlines before you verify, the signature no longer matches even when the payload looks identical.

How to Verify a Webhook

Paste the raw request body before any JSON parsing.
Paste the shared secret and the provider signature header.
Use the preset that matches the provider, or Generic for direct HMAC comparisons.
Review the reconstructed signing string, expected digest, and mismatch causes.

Provider Presets

Stripe: signs timestamp.raw_body and expects the v1 digest from the signature header.
GitHub: signs the raw body and compares it with sha256=<hex> or legacy sha1=<hex>.
Generic: compare any HMAC digest when you already know the algorithm and encoding.

Common Mismatch Causes

Using parsed JSON instead of the raw request body.
Loading the wrong secret for the current environment or endpoint.
Ignoring timestamp tolerance or replay windows for Stripe-style signatures.
Comparing a hex digest against Base64 or Base64URL output.

FAQ

Can I use this with live webhook requests?

Use it for debugging copied request bodies and headers. It does not receive webhooks for you.

Does the page store my secret?

No. Request bodies and secrets stay in your browser.

Why does Stripe care about the timestamp?

Timestamp checks help prevent replay. A valid HMAC can still be rejected when the header is too old.