Webhook Payload Tester

Build mode: select an event template and generate a signed payload + headers. Verify mode: paste payload, signature, and secret — recompute HMAC-SHA256 locally and get PASS/FAIL. Nothing leaves your browser.

Runs 100% client-side
Copy output
On this page5 sections
INFO

Local payload builder and signature verifier — this tool does not send or receive real webhooks. The signing secret and payload are computed in your browser via Web Crypto and never leave your device.

Signature header: X-Hub-Signature-256

HOW TO USE

  1. 01Choose a mode: Build (generate a signed payload) or Verify (check a payload + signature).
  2. 02Build: pick a provider template, enter your signing secret → get the JSON body, signature header, and a curl command.
  3. 03Verify: paste the received payload, the signature, and your secret → see the computed vs received HMAC.
  4. 04Everything is computed locally; copy the payload or curl to replay against your handler.

Try it

Build → Stripe checkout.session.completed → copy the curl command

WHEN TO USE

Use in two scenarios: (1) Build mode — you're writing a webhook handler and need a realistic signed payload to test against without triggering a real event; (2) Verify mode — you have a payload and signature from a provider and want to confirm your signing secret and algorithm produce the expected HMAC-SHA256 match. All computation is local; the secret and payload never leave your browser.

WHAT BUGS THIS FINDS

  • Wrong HMAC encoding — hex vs base64

    Stripe uses hex; some providers use base64. Using the wrong encoding produces a valid HMAC value that never matches, causing all webhooks to be rejected silently.

  • Signature header not verified — trust without check

    A handler that processes the payload without verifying the HMAC accepts forged events from anyone who knows the endpoint URL.

  • Signature verified on modified payload

    Logging middleware that compresses or reformats the body before the handler reads it changes the payload bytes — HMAC verification always fails.

QA USE CASES

01

Generate a Stripe-style signed payload

Build mode → select Stripe checkout.session.completed template → get a JSON body + Stripe-Signature header + curl command to replay against your handler.

02

Debug a signature mismatch

Verify mode → paste the exact payload your handler received, the signature from the header, and your signing secret → see the computed vs received HMAC and exactly where they diverge.

03

Test your HMAC verification logic

Verify mode with correct inputs → PASS confirms your algorithm and encoding are correct. Tamper one byte → FAIL confirms rejection works.

04

Test the missing-signature path

Leave the signature field blank and confirm your handler returns 401 rather than processing the unauthenticated payload.

Related