Webhook Signature Generator

Generate HMAC signatures for webhook payloads. Test and share results instantly.

Generated entirely in your browser using the Web Crypto API. No secrets leave your device.

Presets:

Algorithm

Output format

Secret key

Payload

Generated signature

Test verify (paste an expected signature to compare)

Skip the manual HMAC setup

Recuro signs every webhook delivery automatically. Your endpoints receive authenticated payloads with zero configuration — plus retries, logging, and alerting built in.

Get started free

How webhook signature generation works

When a service sends a webhook, it computes an HMAC of the request body using a shared secret key and includes the result in a header. The receiving server recomputes the HMAC and compares it with the header value. If they match, the payload is authentic and unmodified. This tool lets you generate those signatures manually for testing, debugging, and documentation.

Each provider has its own format. Stripe computes HMAC-SHA256 of a timestamp-prefixed payload and sends the hex-encoded result in the Stripe-Signature header with a v1= prefix. GitHub sends sha256= followed by the hex digest in X-Hub-Signature-256. Shopify base64-encodes the HMAC and sends it in X-Shopify-Hmac-Sha256. Use the presets above to match each provider's format.

When testing your webhook endpoint, generate the signature here, then include it in the appropriate header of your test request. This lets you verify that your server-side signature validation logic works correctly before going live.

Want automated webhook signing? Recuro signs every outbound webhook delivery automatically and handles retries, logging, and alerting so you never miss a failure.

Frequently Asked Questions

What is a webhook signature and why does it matter?

A webhook signature is a cryptographic hash (typically HMAC) computed from the request body and a shared secret. The sender includes it in a header so the receiver can verify that the payload was not tampered with and that it genuinely came from the expected source. Without signature verification, anyone who discovers your webhook URL can send fake events to your server.

What is HMAC and how does it work?

HMAC (Hash-based Message Authentication Code) combines a cryptographic hash function (like SHA-256) with a secret key. The sender computes HMAC(secret, message) and attaches the result to the request. The receiver computes the same HMAC using its copy of the secret and compares the two values. If they match, the message is authentic and unmodified. HMAC is resistant to length-extension attacks that affect plain hash functions.

Which HMAC algorithm should I use?

SHA-256 is the most widely used and recommended choice. It offers strong security with good performance and is the default for Stripe, GitHub, and most modern webhook providers. SHA-1 is still used by some legacy systems but is considered weaker. SHA-384 and SHA-512 provide larger output sizes but are rarely needed for webhook signatures. When in doubt, use SHA-256.

⌘Enter to run Ctrl+Enter to run · ⌘⇧C to copy Ctrl+Shift+C to copy

Next steps

Verify a signature HMAC Verifier Build a payload Payload Builder Send the webhook Webhook Tester

View all tools →