Webhook Request Builder
Build a webhook test request with HMAC-SHA256 signing (the standard GitHub, Stripe, Twilio, and most other webhook providers use). Output cURL, Python requests, or JavaScript fetch. Useful for testing your webhook endpoint's signature verification before going live.
How to use the Webhook Request Builder
Set endpoint URL, payload, and webhook secret. Pick signature format matching your provider: GitHub uses sha256=<hex>, Stripe uses comma-separated t=...,v1=..., Twilio uses base64. The signed request is ready to fire — useful for verifying your endpoint accepts properly-signed requests and rejects unsigned/badly-signed ones.
Signing a webhook request for testing
Most webhook providers sign their requests with an HMAC: they hash the payload with a shared secret and send the result in a header, and your endpoint must recompute the same hash to confirm the request is genuine. Getting that verification right — and proving it rejects forged or unsigned requests — is hard to test without a request signed exactly the way the provider does it.
Set an endpoint, payload, and secret here and this produces a correctly signed request as cURL, Python, or JavaScript, in the signature format your provider uses: GitHub’s sha256=<hex>, Stripe’s t=...,v1=..., or a base64 form. It signs a custom payload of your own; for ready-made provider-shaped event bodies, pair it with the webhook payload generator, and for ordinary unsigned requests use the HTTP request builder.
Common use cases
- Verification testing — confirm your endpoint accepts correctly signed requests.
- Negative testing — check that unsigned or tampered requests are rejected.
- Matching a provider — reproduce GitHub, Stripe, or Twilio signature formats.
- Local development — fire a signed request at a dev endpoint.
- CI checks — generate a signed request for an automated test.