Webhook Signature Validator

Verify HMAC signatures for webhooks from GitHub, Stripe, and more.

Presets:

Webhook Payload

Leave empty to just compute the signature. Paste a signature to verify it.

What is Webhook Signature Validation?

Webhook signature validation is a security mechanism that ensures the webhook payload you receive has not been tampered with in transit. Providers like Stripe, GitHub, and Shopify sign each outgoing webhook request using HMAC (Hash-based Message Authentication Code) with a shared secret key. The resulting signature is sent alongside the payload in an HTTP header, allowing your server to independently verify the authenticity and integrity of the data.

Without signature validation, an attacker could forge webhook requests to your endpoint, potentially triggering unauthorized actions such as fake payment confirmations or bogus deployment events. By computing the HMAC of the raw request body using your secret key and comparing it against the signature provided in the header, you can confirm the request genuinely originated from the expected provider and was not modified along the way.

How Webhook Signatures Work

  1. 1

    Provider sends webhook with signature header

    When an event occurs, the provider computes an HMAC of the JSON payload using your shared secret and attaches the result in a header such as X-Hub-Signature-256 or Stripe-Signature.

  2. 2

    You compute HMAC of the payload using the shared secret

    On your server (or in this browser tool), you take the raw request body and your secret key, then compute the HMAC using the same algorithm (SHA256 or SHA1) the provider used.

  3. 3

    Compare computed signature vs received signature

    If the two hex strings match, the webhook is authentic. If they differ, the payload was either tampered with or signed with a different secret, and you should reject the request.

Supported Providers

GitHub

Header: X-Hub-Signature-256

Algorithm: HMAC-SHA256

Stripe

Header: Stripe-Signature

Algorithm: HMAC-SHA256

Shopify

Header: X-Shopify-Hmac-Sha256

Algorithm: HMAC-SHA256

Custom

Any HMAC-SHA256 or HMAC-SHA1 signed webhook

Configure your own header and algorithm

FAQ

Is my secret key safe?

Yes, all computation happens entirely in your browser using the Web Crypto API. Your secret key and payload are never sent to any server.

What's the difference between SHA256 and SHA1?

SHA256 produces a longer, more secure hash and is the recommended standard for modern webhook providers. SHA1 is a legacy algorithm with known weaknesses and is only used by older integrations.

Why doesn't my signature match?

Check for extra whitespace or newline characters in the payload, encoding differences (such as UTF-8 vs ASCII), or an incorrect secret key. Ensure you are using the raw request body exactly as received, without any parsing or reformatting.

Related Tools

Webhook Tester Webhook Payload Diff JWT Decoder

Automatic signature verification?

HookWatch verifies webhook signatures automatically and alerts you on failures.

Get Started Free