Free HMAC Webhook Signature Validator
Compute and verify HMAC signatures for Stripe, GitHub, Twilio, Shopify, Slack, and any custom webhook provider. Powered by the Web Crypto API — nothing is sent to any server.
Fill in the payload and secret key, then click Validate Signature to compute and verify the HMAC.
Quick Reference: Webhook Signature Formats
How popular providers sign their webhooks.
| Provider | Header Name | Algorithm | Encoding | Signed Payload | Docs |
|---|---|---|---|---|---|
| Stripe | Stripe-Signature | HMAC-SHA256 | hex | {{timestamp}}. | Docs ↗ |
| GitHub | X-Hub-Signature-256 | HMAC-SHA256 | hex | raw body | Docs ↗ |
| Twilio | X-Twilio-Signature | HMAC-SHA1 | base64 | URL + sorted params | Docs ↗ |
| Shopify | X-Shopify-Hmac-Sha256 | HMAC-SHA256 | base64 | raw body | Docs ↗ |
| Slack | X-Slack-Signature | HMAC-SHA256 | hex | v0:{{timestamp}} | Docs ↗ |
What is HMAC and Why Do Webhook Providers Use It?
HMAC (Hash-based Message Authentication Code) is a cryptographic mechanism that combines a secret key with a hash function to produce a unique signature for a given message. Webhook providers like Stripe, GitHub, Twilio, Shopify, and Slack use HMAC signatures to let you verify that incoming webhook requests are authentic and haven't been tampered with during transit.
When a provider sends a webhook to your endpoint, it computes an HMAC of the request body using a shared secret and includes the resulting signature in an HTTP header. Your application then recomputes the HMAC using the same secret and compares it with the received signature. If they match, you can trust the request is genuine.
How to Verify Webhook Signatures
Verifying a webhook signature typically involves these steps:
- Extract the signature from the incoming request header (e.g.,
X-Hub-Signature-256for GitHub,Stripe-Signaturefor Stripe). - Get the raw request body exactly as received — do not parse or modify it before verification.
- Compute the HMAC using the appropriate algorithm (usually HMAC-SHA256) with your webhook secret key.
- Compare the computed signature with the received signature using a timing-safe comparison to prevent timing attacks.
- If signatures match, process the webhook. If not, reject the request with a
401or403status.
Some providers like Stripe and Slack include a timestamp in the signed payload to prevent replay attacks. In those cases, you should also verify that the timestamp is recent (typically within 5 minutes).
Why Signature Validation Matters
Without signature validation, your webhook endpoint is vulnerable to spoofing attacks. An attacker could send forged webhook payloads to your server, potentially triggering unauthorized actions like fake payment confirmations, fraudulent order completions, or data corruption.
Proper HMAC verification ensures data integrity (the payload wasn't altered), authenticity (it came from the expected provider), and when combined with timestamp checks, freshness (it's not a replayed old request). This is a critical security layer for any production webhook integration.
This free tool helps you test and debug your signature validation logic without writing code. Paste your payload and secret, select your provider, and instantly see if the signatures match — all computed locally in your browser using the native Web Crypto API.
Need to monitor, relay, and debug webhooks in production? Try HookScope — real-time webhook inspection and forwarding for development teams.