Webhook Signature Verifier — BlackBox Society

Mode This tool cannot recover the exact raw body if you paste a prettified JSON that differs from the sent bytes.

Quick examples (safe)

These fill the form with a synthetic secret/payload and a matching signature generated in-browser.

Real-world gotcha: you must verify against the exact raw request body. For JSON, avoid pretty-printing, trimming, or newline normalization.

Secret

show Tip: use whsec_... (Stripe) or your repo webhook secret (GitHub).

Signature header / expected signature

Hash

Output encoding

Raw payload normalize newlines (CRLF→LF)

Off by default. Turn on only if your copied payload likely changed line endings.

Idle. Paste inputs and click Verify.

Computed signature

For Stripe, this is the computed v1 digest.

Stripe timestamp tolerance (seconds)

Only used in Stripe mode. It checks |now - t| ≤ tolerance.

String being signed

Use this to spot whitespace/newline differences fast.

Warning: some providers sign the exact raw bytes. If you paste a transformed payload (pretty JSON, normalized newlines), verification will fail even with the right secret.

Raw body capture cheatsheet

Goal: copy the exact request body bytes used to compute the signature (before your JSON parser modifies anything).

Stripe (Node/Express): use express.raw({type:'application/json'}) or Stripe’s recommended stripe.webhooks.constructEvent(rawBody, sig, secret) pattern. Keep the raw buffer.
Next.js / serverless: disable body parsing (or capture the raw stream) so you can pass raw bytes to verification.
GitHub: verify against the full JSON payload exactly as received; avoid pretty-printing. Header is X-Hub-Signature-256: sha256=....
ngrok / local tunnel: you can often copy the exact request body from the inspector—use that, not your app’s re-serialized JSON.

If you still get INVALID with the right secret, the #1 cause is payload mismatch (whitespace/newlines/encoding).