Why use Signature Validator?
Webhook providers sign payloads so you can detect tampering. Paste the secret, signature header, and raw body using the provider’s documented algorithm to confirm whether your verification code matches theirs—critical when rotating secrets or migrating frameworks.
Practical tips
- Use the exact raw body bytes the provider signed; JSON pretty-printing breaks HMAC.
- Compare timestamp tolerance with Timestamp Validator when replay windows matter.
- Test both current and old signing secrets during rotation windows.
Common questions
- Which algorithms are supported?
- Follow in-tool presets for common providers. Exotic algorithms may need your own script.
- Is my secret sent to a server?
- Validation runs locally in the browser. Still avoid pasting production secrets on untrusted devices.