Webhook Signature Validator
Test and validate webhook signatures using HMAC algorithms. Learn how signatures protect your webhooks from tampering and unauthorized access.
Webhook Configuration
Enter the raw JSON payload that will be sent in the webhook request body
The shared secret key used to sign the webhook payload
Choose how the signature should be encoded. Most webhook providers use hex, but some like Stripe and GitHub use base64.
Computed Signature
Signature will appear here...
This is the HMAC signature that should be included in the webhook request header (e.g., X-Hook-Signature)
Validate Signature (Optional)
Enter a signature to compare it against the computed signature above
How webhook signatures work
Webhook signatures use HMAC (Hash-based Message Authentication Code) to verify that webhook payloads come from a trusted source and haven't been tampered with.
Here's the process:
- The sender creates an HMAC signature using the webhook payload and a secret key
- The signature is sent along with the payload in a header (usually
X-Hook-Signature) - The receiver computes their own signature using the same secret key
- If the signatures match, the webhook is authentic and unmodified
Best practices
- •Use SHA-256 or SHA-512 - SHA-1 is deprecated and should be avoided for new implementations
- •Keep secrets secure - Store webhook secrets in environment variables or secret management systems
- •Use constant-time comparison - Prevent timing attacks by comparing signatures in constant time
- •Include timestamps - Add timestamp verification to prevent replay attacks
- •Support signature rotation - Allow multiple valid signatures during secret rotation periods