Webhook Signature Verifier

Verify webhooks from Stripe, GitHub, Slack, Twilio, and more — in your browser

When a webhook lands in your inbox or staging logs and the signature isn't matching, paste the headers and body here to debug. Everything runs locally; the signing secret never leaves the page.

Stripe sends a Stripe-Signature header containing t=... (timestamp) and one or more v1=... signatures. The signed payload is {timestamp}.{body}, signed with HMAC-SHA256 using your webhook signing secret (whsec_...).
The body must be the raw bytes Stripe sent. Reformatting JSON will break the signature.
All cryptography happens in your browser via Web Crypto. The secret is never sent over the network.
GitHub sends an X-Hub-Signature-256 header in the form sha256=<hex>. Signature is HMAC-SHA256 of the raw request body using your webhook secret. (The legacy X-Hub-Signature uses SHA-1 and should not be relied on.)
Slack sends X-Slack-Signature (form v0=<hex>) and X-Slack-Request-Timestamp. The signed string is v0:{timestamp}:{body}, signed with HMAC-SHA256 using the signing secret found in your Slack app's Basic Information page.
Twilio sends an X-Twilio-Signature header. The signed string is the full URL plus, for POST requests, the form-encoded parameters sorted alphabetically and concatenated. Signature is HMAC-SHA1 base64-encoded, using your Twilio auth token.
Paste the URL-decoded form values. The verifier will URL-encode and sort them as Twilio expects.
For any service that signs the raw body with HMAC. Choose the hash, paste the secret, paste the body, paste the expected signature in hex or base64.