A webhook is an HTTP callback — a server sends an HTTP POST request to a URL you specify whenever a particular event occurs. For example, Stripe sends a webhook when a payment succeeds, GitHub sends one when code is pushed, and Slack sends one when a message is posted. Webhooks let your application react to external events in real time.

Why should I verify webhook signatures?

Without signature verification, anyone who knows your webhook endpoint URL can send fake payloads. Providers sign the request body with a shared secret using HMAC. Your server computes the same signature and rejects any request where the signatures do not match. This protects against replay attacks and forged events.

Which providers are supported for auto-detection?

The tool auto-detects GitHub (push, pull_request, ping, and other events), Stripe (all event types with the standard event envelope), Slack (url_verification and event_callback), and Shopify (order and product webhooks). Unknown payloads are still parsed and displayed as raw JSON.

Why can I not verify Stripe or Slack signatures here?

Stripe signs the string ' . ' where the timestamp comes from the Stripe-Signature header (t=...). Slack signs 'v0: : ' where the timestamp is in X-Slack-Request-Timestamp. Since these timestamps are not in the payload itself, body-only verification is not possible in this tool. Use the official Stripe or Slack SDK, or replicate the signing string manually.

What HMAC algorithm does each provider use?

GitHub uses HMAC-SHA256 (hex-encoded, prefixed with sha256=). Stripe uses HMAC-SHA256 (hex-encoded, prefixed with v1=). Slack uses HMAC-SHA256 (hex-encoded, prefixed with v0=). Shopify uses HMAC-SHA256 (base64-encoded, no prefix).

Is my webhook payload and secret safe to paste here?

Yes. All processing happens in your browser using JavaScript's Web Crypto API. Your payload and secret are never sent to any server. That said, as a general practice, avoid pasting production secrets in any online tool if possible. Rotate any secret that may have been inadvertently exposed.

What if my provider is not listed?

The tool will still parse and display your JSON payload as 'Unknown provider'. You can still inspect all fields and use the signature verification inputs to verify HMAC signatures for GitHub- or Shopify-style body-only HMAC formats. If you need verification for a combined signing string (like Stripe or Slack), you will need to construct the signing string manually.

Webhook Validator — Inspect & Verify Webhook Payloads | 100Plus Tools

Loading tool...

How to Use Webhook Validator

How to Use the Webhook Validator:

Paste the Payload: Copy the raw JSON body of your webhook request and paste it into the payload field. The tool accepts any JSON object.
Click "Validate Webhook": The tool parses the JSON and attempts to identify the provider automatically based on the payload structure. Supported providers are GitHub, Stripe, Slack, and Shopify.
Review Event Details: For recognised providers, the tool extracts the event type, event ID, and provider-specific fields such as the repository name (GitHub), livemode flag (Stripe), team ID (Slack), or currency (Shopify).
Verify the Signature (optional): To verify that the payload has not been tampered with:
- Paste the signature header value into the "Signature Header Value" field (e.g. the full value of X-Hub-Signature-256 for GitHub, or X-Shopify-Hmac-Sha256 for Shopify).
- Enter your webhook signing secret.
- Click "Validate Webhook" again — the tool will compute the expected HMAC and compare it against the provided value.
Understand Signature Results:
- Verified: The computed HMAC matches the provided signature — the payload is authentic.
- Mismatch: The signatures differ — the payload may have been modified, or the wrong secret was used. The computed signature is shown for comparison.
- See note: Some providers (Stripe, Slack) sign a combined string that includes a timestamp from another header. Body-only verification is not supported for these; use the provider SDK or include the full signing string.

Notes:

GitHub uses HMAC-SHA256 on the raw body with a "sha256=" prefix. Paste the full header value.
Shopify uses HMAC-SHA256 on the raw body, base64-encoded (no prefix).
Stripe uses HMAC-SHA256 on "<timestamp>.<body>" — direct body-only verification is not possible.
Slack uses HMAC-SHA256 on "v0:<timestamp>:<body>" — direct body-only verification is not possible.
Your payload and secret never leave your browser.

Frequently Asked Questions

Most Viewed Tools

📺

Screen Size Converter

791 views

Calculate screen width and height from diagonal size and aspect ratio. Convert between inches and centimeters for displays, TVs, and monitors with instant dimension calculations.

Use Tool →

🖨️

DPI Calculator

303 views

Calculate DPI (dots per inch), image dimensions, and print sizes. Convert between pixels and physical dimensions for printing and displays.

Use Tool →

📄

Paper Size Converter

270 views

Convert between international paper sizes (A4, Letter, Legal) with dimensions in mm, cm, and inches. Compare ISO A/B series and North American paper standards.

Use Tool →

⛽

Fuel Consumption Converter

255 views

Convert between MPG (miles per gallon), L/100km (liters per 100 kilometers), and other fuel efficiency units. Compare car fuel economy across different measurement systems.

Use Tool →

✂️

CSV Splitter

231 views

Split large CSV files into smaller files by number of rows. Process large datasets in manageable chunks instantly.

Use Tool →

🛍️

Product Schema Generator

230 views

Generate JSON-LD Product schema markup for SEO. Add product details like name, price, brand, rating, and availability to create structured data for rich search results.

Use Tool →

📄

Large Text File Viewer

183 views

View and search large text files up to 200MB in your browser. Features virtual scrolling, line numbers, search functionality, and file statistics. Perfect for log files, CSV, JSON, and code files.

Use Tool →

🔑

API Key Generator

172 views

Generate secure, cryptographically random API keys for authentication and authorization. Create custom API keys with various formats including hex, base64, and prefixed keys.

Use Tool →

Related API & Backend Tools

🔑

JWT Token Validator

Decode and validate JWT tokens instantly in your browser. Inspect header and payload claims, check expiry, and verify HMAC signatures (HS256/HS384/HS512). Free and private.

Use Tool →

✍️

JWT Encoder & Signer

Construct and sign JWT tokens locally in your browser. Edit header and payload JSON, choose HS256/HS384/HS512, enter a secret, and generate a signed token instantly. Nothing is uploaded.

Use Tool →

🔌

API Tester

Test HTTP API endpoints directly in your browser. Make GET, POST, PUT, PATCH, and DELETE requests with custom headers and request bodies. View status codes, response headers, and pretty-printed JSON responses — all client-side, no server proxy.

Use Tool →

🔐

OAuth Token Validator

Validate and inspect OAuth tokens in your browser. Decode JWT access tokens and ID tokens to view claims, scopes, and expiry. Analyse opaque tokens for entropy and format. Free and private.

Use Tool →

🔓

JWT Decoder

Decode JWT (JSON Web Token) headers and payloads locally in your browser. View claims, algorithm info, and signature without sending data to any server.

Use Tool →

Share Your Feedback

Help us improve this tool by sharing your experience

Webhook Validator

How to Use Webhook Validator

Frequently Asked Questions

What is a webhook?

Why should I verify webhook signatures?

Which providers are supported for auto-detection?

Why can I not verify Stripe or Slack signatures here?

What HMAC algorithm does each provider use?

Is my webhook payload and secret safe to paste here?

What if my provider is not listed?

Most Viewed Tools

Screen Size Converter

DPI Calculator

Paper Size Converter

Fuel Consumption Converter

CSV Splitter

Product Schema Generator

Large Text File Viewer

API Key Generator

Related API & Backend Tools

JWT Token Validator

JWT Encoder & Signer

API Tester

OAuth Token Validator

JWT Decoder

Share Your Feedback