Zero Signup ToolsFree browser tools

Developer Tools

Stripe Webhook Signature Verifier

Verify Stripe webhook signatures locally. Parses the Stripe-Signature header, recomputes HMAC-SHA-256, and checks the replay tolerance window.

Inputs

The secret, header, and body are processed locally with the Web Crypto API. They are never uploaded.

Use the full secret as Stripe displays it, including the whsec_ prefix. It is used as the HMAC key in raw form.

Paste the entire header value. The leading Stripe-Signature: label is stripped if you include it.

Paste the exact bytes Stripe sent. Even a single re-serialization, extra whitespace, or BOM will change the signature.

Stripe recommends 300 (5 minutes) to block replays.

Tolerance is checked against

Use Trust header time when checking an older captured request and you only want the signature math.

Parsed Stripe-Signature

Paste the Stripe-Signature header value above to see how each piece is parsed.

How Stripe signs each webhook

  1. 1. Stripe picks the current Unix timestamp t.
  2. 2. It builds the signed payload as t + "." + raw_request_body.
  3. 3. It computes HMAC_SHA256(secret, signed_payload) and includes the result as one or more v1=<hex> entries (one per active signing secret).
  4. 4. Your server must reject the request unless one v1 entry matches the recomputed HMAC and the timestamp is within an acceptable tolerance.

How to use

  1. Paste your Stripe webhook signing secret (the whsec_ value) into the secret field. Use Show to confirm there is no whitespace.
  2. Paste the entire Stripe-Signature header value, including the t=<timestamp> and one or more v1=<hex> entries.
  3. Paste the raw request body exactly as Stripe delivered it. Re-serialized JSON or trimmed whitespace will break the signature.
  4. Pick a tolerance (300 seconds is Stripe's recommendation) and choose Current time for live checks or Trust header time when verifying a captured request.
  5. Click Verify signature to see the match verdict, the expected v1 hex, the timestamp age, and clear reasons when a mismatch is detected.

About this tool

Stripe Webhook Signature Verifier reproduces the exact signing math Stripe runs on every webhook so you can confirm a request is genuine before your server trusts it. Paste your webhook signing secret (the full whsec_ value), the Stripe-Signature header value, and the raw request body, and the tool parses the header into its t=timestamp and v1=hex entries, builds the signed payload as timestamp + "." + raw_body, computes HMAC-SHA-256 with the Web Crypto API, and compares the result against every v1 entry with a constant-time hex equality check. The verdict shows whether the v1 signature matches, which entry matched, the expected hex you can copy for side-by-side comparison, the header timestamp and its age against your current clock, whether the request falls inside the timestamp tolerance window (Stripe recommends 300 seconds to block replays), and a list of human-readable reasons when something does not line up (wrong secret, mutated body, expired timestamp, malformed header). The Trust header time mode skips the replay check so you can verify a captured request after the fact and focus on the signature math, while Current time mode reproduces the same guard your production server should run. Common failure causes are spelled out: an Express body-parser that swapped the raw payload for parsed JSON, a proxy that rewrote whitespace, a copy-paste that dropped a trailing brace, a test secret pasted in production, or a clock skew that pushed the timestamp outside the window. Useful when wiring a new Stripe integration, debugging why a webhook handler is rejecting valid events, building a sandbox replay harness, teaching a team how the v1 scheme works, or rotating signing secrets and confirming the new value before flipping over. Everything runs in your browser; the secret, the header, and the body are never uploaded, which is the only safe way to test a webhook signing secret without exposing it to a third party.

Free to use. Works in your browser. No signup, no login.

Related tools

You may also like

All tools
Security

HMAC Generator

Generate and verify HMAC-SHA1, SHA-256, SHA-384, and SHA-512 signatures.

Open tool

Developer

JWT Verifier

Verify HS, RS, PS, and ES signatures plus exp, nbf, iss, aud claims.

Open tool

Security

SHA-256 Hash Generator

Hash text or files with SHA-1, SHA-256, SHA-384, and SHA-512.

Open tool

Developer

JWT Decoder

Decode header, payload, and claims of a JWT with expiry checks.

Open tool

All toolsDeveloper Tools