Free, browser-based utilities for everyday developer workflows

Verify Stripe webhook signature locally

Stripe signs webhooks with an HMAC over timestamp.payload. Verification fails when the raw body changed, the signing secret is wrong, or the timestamp is outside the tolerance window.

Open this example in Webhook Signature Verifier

Open the tool, then paste the sample input below. Everything runs locally in your browser.

Open this example in Webhook Signature Verifier →

The problem

Stripe sends a Stripe-Signature header containing a timestamp (t=) and one or more signatures (v1=). The expected signature is an HMAC-SHA256 of t + "." + raw_body using your endpoint signing secret. If your framework re-serialized the JSON body, the bytes no longer match and verification fails.

Sample input

Raw payload
{
  "id": "evt_example",
  "type": "payment_intent.succeeded"
}
Stripe-Signature header
t=1710000000,v1=example_signature
Signing secret
whsec_example_secret

Expected output

Enter these in the verifier to compute the HMAC-SHA256 over t.payload and compare it to the v1 value. A match confirms the payload and secret line up; a mismatch points to a raw-body, secret, or timestamp problem.

How to do it

  1. Copy the exact raw webhook payload (the bytes your server received, before JSON parsing).
  2. Copy the Stripe-Signature header.
  3. Enter the endpoint signing secret (starts with whsec_).
  4. Verify the HMAC-SHA256 signature against the v1 value.
  5. If it fails, check the timestamp tolerance and confirm the body was not modified.

Common mistakes

  • Verifying against parsed-and-re-serialized JSON instead of the raw request body.
  • Using the wrong signing secret (dashboard vs CLI, test vs live).
  • Letting middleware change payload whitespace or encoding.
  • Rejecting due to a timestamp outside the tolerance window.
  • Comparing against the wrong signature version in the header.

Related tools

Related guides

FAQ

Why does Stripe webhook signature verification fail?

Most often because the raw body was modified before verification, the signing secret is wrong, or the timestamp is outside the allowed tolerance.

Do I need the raw request body?

Yes. Stripe signs the exact bytes it sent. Use the raw body, not a re-serialized JSON object, or the HMAC will not match.

What is the Stripe signing secret?

A per-endpoint secret starting with whsec_ that you use as the HMAC key. Dashboard endpoints and the Stripe CLI have different secrets.

What does v1 mean in the Stripe-Signature header?

It is the signature scheme version. v1 is the HMAC-SHA256 signature; the header can also carry the timestamp as t= and multiple v1 values during secret rotation.

Can I verify the signature locally?

Yes. The verifier computes the HMAC in your browser using Web Crypto; the signing secret is never uploaded.

Signature verification runs locally in your browser using Web Crypto. Your signing secret is never uploaded or included in share links.

Explore more security and debugging tools

Sanitize HAR files, verify webhook signatures, decode JWTs and inspect certificates — grouped in one place.

View the security & debugging toolkit →