Why verify webhook signatures?

Because a webhook endpoint is a public URL that anyone can POST to. Without verification, an attacker can forge events - fake a payment, fake a deploy, fake a user action - and your app will act on them. A signature, computed by the sender from the payload and a shared secret using HMAC, lets you confirm the request really came from the provider and was not tampered with. If the signature you compute does not match the one sent, you reject the request.

Why must I use the raw request body?

Because the signature is computed over the exact bytes that were sent. If your framework parses the JSON and you re-serialize it, even a difference in key order or whitespace changes the bytes and the signature will not match. Always compute the signature over the raw, unparsed request body - capturing it before any JSON middleware runs is the usual gotcha.

Is it safe to paste my webhook secret here?

The computation runs entirely in your browser using the Web Crypto API - nothing is uploaded. Still, a webhook signing secret is a live credential, so prefer testing with a sample or rotated secret rather than your production one. The tool is for understanding and debugging signature mismatches, not a place to handle production secrets.

Free tool · Runs in your browser · Nothing uploaded

Verify a webhook signature.

A webhook URL is public — anyone can POST to it. The signature is how you know an event is real and not forged. Paste the raw payload and your signing secret to compute the HMAC-SHA256 and check it against what you received.

Raw payload (the exact request body)

Signing secret

Signature you received (optional — to verify)

Computed signature

—

The endpoint anyone can call

Webhooks are how the services you use tell your app that something happened — a payment cleared, a build finished, a user signed up. The catch is that the endpoint is a public URL, so without verification anyone who finds it can send fake events and your app will dutifully act on them. The signature closes that hole: the sender hashes the payload with a shared secret, you recompute the hash, and if they match the event is genuine. It’s a few lines of code and the difference between trusting your webhooks and being spoofed by them.

Verifying signatures is the per-endpoint version of a bigger principle: don’t trust input, verify it — and keep the secrets that make verification possible somewhere controlled. Managing those signing secrets and proving how inbound events are authenticated, across the backend you own, is part of what a control plane keeps honest.

Related free tools

Command risk checkerIs this command safe?AI agent guard configGate your AI agent AI-agent blast-radius checkerWhat can your agent destroy?

All free tools →

Trust the event, not the URL.

Infraveil runs your backend on servers you own with secrets managed and inbound access governed — so the webhooks your app acts on are verified, and the secrets behind them live in one controlled, auditable place.

See how it works

Get the API-security playbook

Webhooks, signatures, secrets, and inbound auth for a backend you run yourself. No spam.