Webhook Request Builder

Build a webhook test request with HMAC-SHA256 signing (the standard GitHub, Stripe, Twilio, and most other webhook providers use). Output cURL, Python requests, or JavaScript fetch. Useful for testing your webhook endpoint's signature verification before going live.

How to use the Webhook Request Builder

Set endpoint URL, payload, and webhook secret. Pick signature format matching your provider: GitHub uses sha256=<hex>, Stripe uses comma-separated t=...,v1=..., Twilio uses base64. The signed request is ready to fire — useful for verifying your endpoint accepts properly-signed requests and rejects unsigned/badly-signed ones.

Signing a webhook request for testing

Most webhook providers sign their requests with an HMAC: they hash the payload with a shared secret and send the result in a header, and your endpoint must recompute the same hash to confirm the request is genuine. Getting that verification right — and proving it rejects forged or unsigned requests — is hard to test without a request signed exactly the way the provider does it.

Set an endpoint, payload, and secret here and this produces a correctly signed request as cURL, Python, or JavaScript, in the signature format your provider uses: GitHub’s sha256=<hex>, Stripe’s t=...,v1=..., or a base64 form. It signs a custom payload of your own; for ready-made provider-shaped event bodies, pair it with the webhook payload generator, and for ordinary unsigned requests use the HTTP request builder.

Common use cases

  • Verification testing — confirm your endpoint accepts correctly signed requests.
  • Negative testing — check that unsigned or tampered requests are rejected.
  • Matching a provider — reproduce GitHub, Stripe, or Twilio signature formats.
  • Local development — fire a signed request at a dev endpoint.
  • CI checks — generate a signed request for an automated test.

Frequently asked questions

What signature formats can it produce?

Hex with a sha256= prefix (GitHub style), bare hex, and base64, covering the formats most providers use.

How is the signature computed?

As an HMAC-SHA256 of the payload using your webhook secret — the same calculation your endpoint should perform to verify it.

Does it actually call my endpoint?

It generates the signed cURL, Python, or fetch request; you run it to hit your endpoint.

Where do I get a realistic payload?

Use the webhook payload generator for provider-shaped event bodies.
Embed this tool on your site

Free to embed, no attribution required (but appreciated). Paste this where you want the tool to appear: