Free, browser-based utilities for everyday developer workflows

Verify GitHub webhook signature locally

GitHub signs webhooks with HMAC-SHA256 and sends the result in the X-Hub-Signature-256 header as sha256=<digest>. Verification fails on the wrong header, wrong algorithm, a changed body, or the wrong secret.

Open this example in Webhook Signature Verifier

Open the tool, then paste the sample input below. Everything runs locally in your browser.

Open this example in Webhook Signature Verifier →

The problem

The expected value is an HMAC-SHA256 of the raw request body using your webhook secret, prefixed with sha256=. The older X-Hub-Signature header uses SHA-1 and should not be used. Compare the computed digest to the value after sha256=.

Sample input

Raw payload
{
  "ref": "refs/heads/main",
  "repository": {
    "name": "example-repo"
  }
}
Signature header
X-Hub-Signature-256: sha256=example_signature
Webhook secret
github_webhook_secret_example

Expected output

The verifier computes HMAC-SHA256 of the raw body with your secret and compares it to the value after sha256=. A match means the payload and secret are correct.

How to do it

  1. Copy the exact raw webhook payload.
  2. Copy the X-Hub-Signature-256 header value.
  3. Enter the webhook secret.
  4. Select HMAC-SHA256 if it is not detected automatically.
  5. Compare the computed signature to the value after sha256=.

Common mistakes

  • Using X-Hub-Signature (SHA-1) instead of X-Hub-Signature-256.
  • Computing the HMAC with SHA-1 instead of SHA-256.
  • Changing payload whitespace before verifying.
  • Using the wrong webhook secret.
  • Comparing without stripping or accounting for the sha256= prefix.

Related tools

Related guides

FAQ

What is X-Hub-Signature-256?

The GitHub webhook header that carries the HMAC-SHA256 signature of the payload, formatted as sha256= followed by the hex digest.

Does GitHub use HMAC-SHA256?

Yes, for the X-Hub-Signature-256 header. The legacy X-Hub-Signature header uses HMAC-SHA1 and should be avoided.

Do I need the raw webhook body?

Yes. The signature is computed over the exact bytes GitHub sent, so verify against the raw body, not a re-serialized object.

Why does my GitHub webhook signature not match?

Common causes are using the SHA-1 header, a modified body, the wrong secret, or comparing with the sha256= prefix still attached.

Can I verify GitHub webhook signatures locally?

Yes. The verifier runs HMAC-SHA256 in your browser; the secret stays on your device.

Verification runs locally in your browser using Web Crypto. The webhook secret is never uploaded.

Explore more security and debugging tools

Sanitize HAR files, verify webhook signatures, decode JWTs and inspect certificates — grouped in one place.

View the security & debugging toolkit →