Stripe Webhook Signature Diagnostic

Paste your stripe-signature header, the raw request body, and your whsec_***. Get a verdict + root cause. Pure client-side — nothing leaves your browser.

Privacy: All compute happens locally in your browser via the Web Crypto API. The webhook secret never touches a network. There is no backend, no logging, no analytics on the form fields. Inspect Network tab to verify.

stripe-signature header e.g. t=1778120000,v1=abc123...

Raw request body The exact bytes, NOT JSON.parse(req.body)

Webhook signing secret Starts with whsec_ — Stripe Dashboard → Webhooks → Signing secret

Need it fixed in your repo, not just diagnosed?

$199 flat (first 3 clients, then $399). One file in your repo, sig verification, customer + founder emails, deployed and verified.

See the offer →

What this checks

Signature header parses correctly into t= + v1= components
Timestamp is within Stripe's recommended 5-minute tolerance window
HMAC-SHA256 of {timestamp}.{rawBody} using your webhook secret matches the signature
Common false-positive: raw body has been JSON-parsed and re-stringified (whitespace mismatch)
Common false-positive: timestamp is older than 5 minutes (retry of stale event)
Common false-positive: webhook secret is for the wrong endpoint or has been rotated

→ Read the deeper writeup of why Stripe webhooks return 400