About The Webhook Signature Verifier

Webhook Signature Verifier recomputes an HMAC signature from a raw payload and shared secret, then compares it with the signature you received from a provider. It helps debug webhook authentication failures without changing the payload bytes.

Verification runs locally in your browser. Treat webhook secrets as sensitive and prefer test secrets or internal workflows for production incidents.

How to Verify Webhook Signatures Online

1. Paste the webhook secret and exact raw payload.
2. Paste the provided signature from the request header.
3. Select the algorithm and signature format used by the provider.
4. Run verification and compare the expected signatures with the match result.

Choosing Options Correctly

Algorithm:
Match the provider documentation exactly. SHA-256 is common, but some services use SHA-1, SHA-384, or SHA-512.

Format:
Use prefixed for values like sha256=..., hex for raw hexadecimal signatures, and base64 when the provider sends base64.

Common Use Cases

• Debugging webhook signature mismatch errors.
• Checking whether payload formatting changed before verification.
• Building provider-specific webhook test fixtures.

Quick FAQ

Should I parse JSON before verifying?
No. Verify the exact raw request body bytes required by the webhook provider. Reformatting JSON changes the signature.

Can newline changes break verification?
Yes. Added, removed, or converted line endings change the signed payload.

Why does verification fail?
Wrong secret, wrong algorithm, missing timestamp prefix, modified body, or different output encoding are common causes.

Should I paste production webhook secrets?
Avoid it. Use a test endpoint secret or local verification code for production systems.