Webhook Payload Builder
Generate realistic sample payloads for testing your webhook endpoints.
Ready to test with real webhooks?
Recuro delivers webhooks on a schedule with automatic signing, retries, and delivery logs.
Understanding webhook payloads
A webhook payload is the JSON body that a service sends to your endpoint when an event occurs. Each provider structures their payloads differently, but common patterns emerge: an event type field that tells you what happened, a data object containing the resource that changed, and metadata like timestamps and unique IDs for idempotency.
Stripe wraps every event in an envelope with type,
data.object, and
created fields. GitHub uses an
action field alongside the resource object and sends the
event type as the X-GitHub-Event header rather than in the
body. Shopify puts the event type in the
X-Shopify-Topic header and sends the resource directly as
the top-level payload.
When building your webhook handler, always validate the payload structure before accessing nested fields. Check for the event type first, then extract the data you need. Store the event ID and use it for idempotency — webhook providers may retry delivery, and your handler should safely ignore duplicate events.
Need to schedule and monitor HTTP requests reliably? Recuro handles webhook delivery with automatic retries, failure alerting, and full execution logs — so you never miss a delivery or lose track of what was sent.
Frequently Asked Questions
How do I test webhooks locally?
To test webhooks locally, you need to expose your local server to the internet. Tools like ngrok or Cloudflare Tunnel create a public URL that forwards requests to your localhost. Start your local server, run the tunnel, then configure the webhook provider to send events to the tunnel URL. Use this payload builder to understand the exact shape of the payload your endpoint will receive, so you can build your handler before going live.
What should my webhook endpoint return?
Most webhook providers expect a 200 OK response within a few seconds. Return the 200 status as quickly as possible, then process the payload asynchronously if needed. Some providers (like Slack) require a specific response body for verification challenges. If your endpoint returns a 4xx or 5xx status, most providers will retry delivery with exponential backoff — typically 3 to 5 attempts over several hours.
How do I verify webhook signatures?
Webhook providers sign payloads using HMAC with a shared secret. The signature is sent in a header (e.g., Stripe-Signature, X-Hub-Signature-256, X-Shopify-Hmac-Sha256). To verify, compute the HMAC of the raw request body using your endpoint secret, then compare it to the signature in the header using a constant-time comparison function. Never skip signature verification in production — it prevents replay attacks and payload tampering.
⌘Enter to run · ⌘⇧C to copy