About Signature Forensics

Signature Forensics shows you a realistic webhook scenario — body, headers, secret, and provider — and asks you to identify why HMAC signature verification keeps failing. Every day everyone gets the same challenge so you can compare results. Topics include Stripe, GitHub, Slack, Shopify, and generic HMAC webhooks.

Why it helps

• Build intuition for the most common webhook verification failure modes before a real incident.
• Learn why the raw body must be captured before any middleware parses or re-serializes it.
• Understand timestamp tolerance, encoding differences, and secret whitespace pitfalls.
• Use the related Webhook Signature Verifier to test signatures interactively.

Runs locally in your browser. Progress is stored only in this browser.