GitHub Webhook Signature Verifier

How to use

1. 1Paste the exact webhook request body your receiver saw. The bytes must match what GitHub sent; any whitespace, trailing newline, or BOM added by a logging proxy or editor will change the digest.
2. 2Enter the webhook secret you configured in the repository, organization, or GitHub App settings. Use the Show toggle to confirm you pasted the right value. The secret never leaves your browser.
3. 3Paste the value of X-Hub-Signature-256 (modern) or the legacy X-Hub-Signature header. The header name prefix is optional, and either sha256= or sha1= will be auto-detected.
4. 4Press Verify signature. The tool computes HMAC-SHA256 and HMAC-SHA1 of the body with the secret, parses the observed signature, and shows a green Verified or red Mismatch verdict.
5. 5If the signatures match, copy the expected digest or header line to use as a known-good fixture in your tests.
6. 6If they do not match, read the per-character diff to see exactly where the digests diverge, then walk through the failure checklist below the diff to find the bug in your receiver code.
7. 7Use Load sample payload to drop in the canonical example from the GitHub webhook documentation if you need a known-good starting point.

About this tool

GitHub Webhook Signature Verifier checks the X-Hub-Signature-256 (HMAC-SHA256) and the legacy X-Hub-Signature (HMAC-SHA1) headers that GitHub attaches to every webhook delivery. Paste the exact request body, the webhook secret you configured in repository or app settings, and the signature header value the receiver saw; the tool computes the HMAC of the body with the secret using the Web Crypto API, parses the signature header (stripping the sha256= or sha1= prefix), and compares the observed digest to the expected digest with a constant-time comparison. When the signature matches, the verdict panel turns green and the matching header is highlighted. When it does not, the verdict turns red and the tool renders a per-character diff of expected vs observed hex so you can see exactly where the bytes diverge, alongside a checklist of the real-world reasons GitHub webhook verification fails (body re-serialization, trailing newlines, BOMs, kept algorithm prefixes, stale secrets, and timing-unsafe string compares). The expected sha256 and sha1 digests are always shown with copy buttons so you can paste them directly into your receiver tests, and a Use expected sha256 as test signature button fills the field with the value GitHub would have sent for the current body and secret. Nothing leaves your browser: the secret, body, and computed digests stay in component state, and the comparison is done locally with crypto.subtle. Use this whenever a GitHub webhook receiver returns 401 with a signature mismatch, when you are migrating a receiver from sha1 to sha256, or when you are writing a new GitHub App and need a known-good fixture to test against.

Free to use. Works in your browser. No signup, no login.