When a webhook lands in your inbox or staging logs and the signature isn't matching, paste the headers and body here to debug. Everything runs locally; the signing secret never leaves the page.
Stripe-Signature header containing t=... (timestamp) and one or more v1=... signatures. The signed payload is {timestamp}.{body}, signed with HMAC-SHA256 using your webhook signing secret (whsec_...).
X-Hub-Signature-256 header in the form sha256=<hex>. Signature is HMAC-SHA256 of the raw request body using your webhook secret. (The legacy X-Hub-Signature uses SHA-1 and should not be relied on.)
X-Slack-Signature (form v0=<hex>) and X-Slack-Request-Timestamp. The signed string is v0:{timestamp}:{body}, signed with HMAC-SHA256 using the signing secret found in your Slack app's Basic Information page.
X-Twilio-Signature header. The signed string is the full URL plus, for POST requests, the form-encoded parameters sorted alphabetically and concatenated. Signature is HMAC-SHA1 base64-encoded, using your Twilio auth token.