Zero Signup ToolsFree browser tools

Developer Tools

Webhook Signature Generator

Sign webhook payloads with HMAC for Stripe, GitHub, Slack, Shopify, Svix, or a custom format. Copy headers and a ready-to-run curl command.

Provider

Pick the platform whose receiver you want to test. The signing string and header format change per provider.

HMAC-SHA-256 over `<timestamp>.<body>`. Header value is `t=<ts>,v1=<hex>`.

Used as the raw HMAC key. Include any prefix the platform uses (such as whsec_) exactly as it appears in your dashboard.

HMAC signs the exact bytes you enter. Reformatting JSON, adding a trailing newline, or changing the encoding will produce a different signature.

Stripe rejects requests where the timestamp is more than 5 minutes from the receiver's clock. Use a fresh timestamp.

Source

Use current time so the signature passes replay tolerance windows. Switch to Manual to reproduce a captured request exactly.

Only used when copying the curl command. The signature itself does not depend on the URL.

Computed locally with the Web Crypto API. Your secret and body never leave the browser.

Provider quick reference

  • Stripe: Stripe-Signature header carries a timestamp and one or more v1 entries. Receivers must check the HMAC and a tolerance window (300 seconds is the default).
  • GitHub: X-Hub-Signature-256 (sha256) is the modern header. X-Hub-Signature (sha1) is still sent for compatibility but should not be used to authenticate new code paths.
  • Slack: Pair X-Slack-Signature with X-Slack-Request-Timestamp. Reject timestamps older than five minutes to block replays.
  • Shopify: Base64-encoded HMAC-SHA-256 of the raw body. Verify before parsing JSON so a re-serialized body cannot break the check.
  • Svix / Standard Webhooks:webhook-signature carries a versioned list (v1,<sig> v1,<sig> ...). webhook-id and webhook-timestamp are required to validate.
  • Custom: Use this when your platform documents a plain HMAC of the body with a chosen algorithm, encoding, and header. Match those exactly on the receiver.

How to use

  1. Pick the provider whose webhook you want to imitate, or pick Custom HMAC for a plain HMAC of the body.
  2. Paste the signing secret. Include any provider prefix (such as whsec_) exactly as your dashboard shows it.
  3. Paste the raw request body. Use Beautify or Minify if you need to match a specific on-the-wire shape.
  4. For Stripe, Slack, or Svix, leave Use current time on so the signature passes replay tolerance. Switch to Manual to reproduce a captured timestamp.
  5. Click Generate signature. The signing string, HMAC, each HTTP header, and a curl command appear with their own Copy buttons.
  6. Paste the curl command into your terminal (after replacing the URL with your local tunnel) to deliver a signed test request to your receiver.

About this tool

Webhook Signature Generator builds the headers a real webhook producer would attach so you can replay or fuzz traffic against your own receiver without leaving the browser. Pick a provider preset (Stripe, GitHub sha256 or sha1, Slack, Shopify, Svix and Standard Webhooks) or switch to Custom HMAC to choose the algorithm (SHA-1, SHA-256, or SHA-512), output encoding (hex or base64), and header name. The tool builds the exact signing string each platform requires: Stripe concatenates the timestamp and body with a dot, Slack prefixes v0: and the timestamp, Svix prepends the message id and timestamp, GitHub and Shopify sign the raw body. It HMACs the signing string with your secret using the Web Crypto API, formats the signature in the encoding the receiver expects, and assembles the full header set (including paired timestamp and message id headers when the spec needs them). The output panel shows the signing string, the raw HMAC, every header name and value, and a ready-to-run curl command that POSTs the body with --data-binary so no bytes are re-serialized between sign and send. Everything runs locally. The secret, the body, and any URL you enter stay in your browser. Pair it with a tunnel like ngrok or Cloudflare Tunnel and your local receiver will see the same shape of request that the real provider would deliver.

Free to use. Works in your browser. No signup, no login.

Related tools

You may also like

All tools
Developer

Stripe Webhook Signature Verifier

Parse the Stripe-Signature header and verify v1 HMAC plus replay tolerance.

Open tool

Security

HMAC Generator

Generate and verify HMAC-SHA1, SHA-256, SHA-384, and SHA-512 signatures.

Open tool

Security

SHA-256 Hash Generator

Hash text or files with SHA-1, SHA-256, SHA-384, and SHA-512.

Open tool

Developer

Authorization Header Generator

Build Basic, Bearer, and custom Authorization headers with copy-paste request snippets.

Open tool

Developer

cURL Command Builder

Form-driven builder that emits curl, PowerShell, HTTPie, wget, fetch, and raw HTTP/1.1.

Open tool

Developer

JWT Generator

Sign HS256, HS384, and HS512 JWTs with editable claims and expiry helpers.

Open tool

All toolsDeveloper Tools