Webhook Signature Verifier

All tools

Options

Status
Idle
Algorithm
Encoding
Payload length

What is a Webhook Signature Verifier?

A Webhook Signature Verifier helps you confirm whether a webhook payload was signed with the expected secret.

This is useful when debugging Stripe, GitHub, Slack, or custom webhooks that use HMAC signatures.

How to use the Webhook Signature Verifier

  1. Paste the webhook payload.
  2. Paste the secret used by your provider.
  3. Paste the provided signature or the full signature header.
  4. Choose algorithm and encoding, then click Verify signature.

Tips

  • Make sure the payload matches the exact raw body used by the provider.
  • Some providers include prefixes like sha256= or v1= in signature headers.
  • If verification fails, check whitespace, line endings, and encoding.
  • Use the same algorithm that your provider expects.

Related guides

Learn the workflow behind this tool and what to check next.

Webhook signature checks before trusting an event

Verify authenticity before parsing an event as trusted input, and apply the provider's signing rules to the untouched request payload.

Preserve the raw body

Capture the exact request bytes before JSON parsing, reformatting, newline conversion, or middleware changes the signed payload.

Parse the signature header

Follow the provider's version, timestamp, key ID, encoding, and multiple-signature rules instead of comparing the whole header as one digest.

Limit replay

Validate the signed timestamp within a short tolerance and store event IDs when the provider supports duplicate detection.

Respond safely

Reject invalid signatures without processing the event, avoid logging secrets or full sensitive bodies, and make valid handlers idempotent.

Privacy and usage

Built for quick checks without an account

Toolinix tools are designed for short developer tasks: paste a safe sample, inspect the result, copy what you need, and move on.

No login required

You can use the tools without creating an account, subscribing to a newsletter, or saving a workspace.

Local when possible

Formatters, generators, encoders, and text utilities generally run in your browser. Network diagnostics may need a server-assisted lookup to check public URLs, domains, or IPs.

Keep secrets out

Do not paste production passwords, private keys, access tokens, customer records, or regulated data into online tools unless your own security policy allows it.

Related tools

You may also find these tools useful.

Webhook Signature Verifier FAQ

Can this tool verify Stripe or GitHub webhook signatures?
It can help verify many HMAC-based webhook signatures, especially when you know the algorithm, secret, and raw payload.
Can I paste the full signature header?
Yes. The tool can normalize common header-style values.
Why does verification fail even with the right secret?
Most often the payload differs from the original raw body, or the signature was normalized incorrectly.
Is my webhook data stored?
No. It is only processed for the current request.