Webhook signature helper

Every webhook Verified Workflows sends is signed with HMAC-SHA256. Use this tool to sign a payload locally, verify your handler accepts genuine signatures, and grab a sample payload to test against.

This tool runs the exact algorithm documented in the API reference. The header name is X-VerifiedWorkflows-Signature (no hyphens between "Verified" and "Workflows"). Your secret is processed only in your browser session via the API — it is never stored.

Generate a signature header

Paste your webhook secret and the raw payload you want to send. We'll return the exact X-VerifiedWorkflows-Signature header to attach to the request.

Found in your account settings. Never share this.
Exact bytes that will be transmitted. JSON re-serialization with different whitespace will produce a different digest.

Verify an incoming signature

Confirm your verification logic is correct. Provide the same three values your handler would receive. We recompute the digest and check it in constant time, with a 5-minute replay-protection window.

Sample payloads

Fetch a realistic webhook body for each event the platform emits. Use it with the Sign tab to produce a signed request for your local handler — no real task required.

How to use this sample

Fetch the sample payload

Click Fetch sample above. Copy the raw_body field.

Sign it with your secret

Switch to the Sign tab, paste your webhook secret and the raw_body, then copy the resulting X-VerifiedWorkflows-Signature header value.

POST to your handler

Send the body and header to your local webhook endpoint. Your verification code should accept it. Re-run with Tamper payload in the Verify tab to confirm it rejects modified bodies.

Sign in to sign and verify live payloads Sign in Get API key