Webhook Signature Verifier
Options
What is a Webhook Signature Verifier?
A Webhook Signature Verifier helps you confirm whether a webhook payload was signed with the expected secret.
This is useful when debugging Stripe, GitHub, Slack, or custom webhooks that use HMAC signatures.
How to use the Webhook Signature Verifier
- Paste the webhook payload.
- Paste the secret used by your provider.
- Paste the provided signature or the full signature header.
- Choose algorithm and encoding, then click Verify signature.
Tips
- Make sure the payload matches the exact raw body used by the provider.
- Some providers include prefixes like sha256= or v1= in signature headers.
- If verification fails, check whitespace, line endings, and encoding.
- Use the same algorithm that your provider expects.
Related guides
Learn the workflow behind this tool and what to check next.
How to inspect JWT auth issues
A JWT troubleshooting flow for checking token claims, time values, permissions, and signing assumptions without treating decoding as verification.
How to validate a domain before launch
A launch workflow for confirming DNS records, domain ownership signals, SSL coverage, and security headers on the public endpoint.
Webhook signature checks before trusting an event
Verify authenticity before parsing an event as trusted input, and apply the provider's signing rules to the untouched request payload.
Preserve the raw body
Capture the exact request bytes before JSON parsing, reformatting, newline conversion, or middleware changes the signed payload.
Parse the signature header
Follow the provider's version, timestamp, key ID, encoding, and multiple-signature rules instead of comparing the whole header as one digest.
Limit replay
Validate the signed timestamp within a short tolerance and store event IDs when the provider supports duplicate detection.
Respond safely
Reject invalid signatures without processing the event, avoid logging secrets or full sensitive bodies, and make valid handlers idempotent.
Privacy and usage
Built for quick checks without an account
Toolinix tools are designed for short developer tasks: paste a safe sample, inspect the result, copy what you need, and move on.
No login required
You can use the tools without creating an account, subscribing to a newsletter, or saving a workspace.
Local when possible
Formatters, generators, encoders, and text utilities generally run in your browser. Network diagnostics may need a server-assisted lookup to check public URLs, domains, or IPs.
Keep secrets out
Do not paste production passwords, private keys, access tokens, customer records, or regulated data into online tools unless your own security policy allows it.
Related tools
You may also find these tools useful.