// tools

Webhook signature verifier

Paste a captured webhook payload, the signature header your provider sent, and your signing secret. The verifier computes the HMAC entirely in your browser and shows you the exact reason it matches or doesn't — wrong secret, body whitespace, encoding mismatch, or a stale Stripe timestamp outside the tolerance window. Three providers covered: Stripe, GitHub, Shopify.

Webhook body (raw bytes — paste exactly what arrived)

Signature header value

Signing secret (stays in your browser — never sent)

Why it's usually broken

Stripe hashes <timestamp>.<body>. If your framework parses JSON before signature check, the re-serialized body has different whitespace than the original and the HMAC differs. Use the raw body string from the request.
GitHub sends X-Hub-Signature-256: sha256=<hex>. Strip thesha256=prefix before comparison.
Shopify sends base64, not hex. Comparing as hex always fails.
Most signature mismatches are notthe secret being wrong — it's middleware mutating the body. Test against the raw bytes.

Got a webhook URL but no payload yet?

Open /tools/webhook-tester in another tab to capture a real webhook payload + headers, then paste the body and signature back here.

Want the webhook to actually trigger your local handler? Tunnel:

$ lrok reserve stripe-dev
$ lrok http 4242 --hint stripe-dev

Stripe walkthrough → GitHub →