GitHub
HMAC SHA-256 of the raw request body, encoded as hex with a sha256= prefix.
Received signature header
client-side only·zero data egress
Webhook Signature Verifier
Paste the raw payload, secret, and received header. The expected signature is computed locally in your browser — nothing leaves your machine.
Stripe
HMAC SHA-256 of `${timestamp}.${rawBody}` encoded as hex. The Stripe-Signature header can contain multiple signatures.
Preserve whitespace exactly as received. Do not pretty-print unless the incoming request body was already pretty-printed.
Looks like whsec_... from the Stripe dashboard.
Paste the full incoming header value for an exact comparison.
Use the numeric t value from Stripe-Signature.
Waiting for header input
Expected v1 signature
Fill in the required fields to compute a signature.Timestamp + raw body
The exact string that gets signed before encoding.
Parsed incoming signatures
Paste a received header to compare against the computed signature.
Debug notes
- Add a endpoint signing secret to calculate the signature.
- Paste the exact raw request body. Even whitespace changes will break verification.
- Add timestamp from the incoming request.
Quick start
Load a working example to see the exact format each provider expects.
How to verify a webhook signature
- 1
Pick the provider whose webhook format you are debugging.
- 2
Paste the exact raw payload, the signing secret, and the incoming signature header.
- 3
Add timestamp and delivery ID fields when the provider requires them.
- 4
Compare the computed signature with the parsed header values to find the mismatch.
Supported providers
Stripe
HMAC SHA-256 of `${timestamp}.${rawBody}` encoded as hex. The Stripe-Signature header can contain multiple signatures.
Stripe-Signature header
Svix
HMAC SHA-256 of `${id}.${timestamp}.${rawBody}` encoded as base64. The whsec_ secret is base64-decoded first.
svix-signature header
Clerk
Clerk webhooks use Svix under the hood: `${id}.${timestamp}.${rawBody}` signed with a base64-decoded whsec_ secret.
svix-signature header
Shopify
HMAC SHA-256 of the raw request body, encoded as base64 for x-shopify-hmac-sha256.
x-shopify-hmac-sha256 header
Lemon Squeezy
HMAC SHA-256 of the raw request body, encoded as lowercase hex for the X-Signature header.
X-Signature header
Provider coverage
Stripe webhook signature tester
Recompute Stripe-Signature values using the t timestamp and v1 HMAC so you can debug checkout, billing, and webhook endpoint verification errors.
GitHub webhook signature tester
Generate the expected x-hub-signature-256 value from the raw GitHub webhook payload and your webhook secret.
Svix and Clerk signature tester
Verify svix-signature headers using svix-id, svix-timestamp, and whsec_ secrets for authentication and user lifecycle webhooks.
Shopify and Lemon Squeezy HMAC tester
Check x-shopify-hmac-sha256 and X-Signature webhook headers against the original request body before you chase framework bugs.