Home → Webhook Payload Tester

Webhook Payload Tester

Test webhook payloads and generate HMAC signatures for verification.

About This Tool

Test webhook payloads and generate HMAC signatures for verification. This tool runs entirely in your browser — no data is ever sent to a server. Free to use, no account required.

What a Webhook Tester Does

The webhook tester gives you a public URL to receive and inspect HTTP webhook payloads without setting up a server.

Receiving Webhook Payloads

Copy the unique test URL and configure it as the webhook endpoint in any third-party service. When that service fires a webhook, the tester captures the full HTTP request — headers, body, method, and timestamp — and displays it immediately.

Inspecting Webhook Structure

The captured JSON body is formatted and syntax-highlighted for easy reading. This lets you understand the exact payload structure before you write the handler code, so you know which fields are available and their types.

When to Use a Webhook Tester

A webhook tester is most valuable during the initial integration setup phase and when debugging unexpected webhook behavior.

Testing Third-Party Integrations

When setting up webhooks from Stripe, GitHub, Shopify, Twilio, or Slack, use a test URL to see the payload before building your handler. This prevents writing code against assumed payload structures.

Debugging Failed Webhooks

When a webhook integration is not working as expected, capture the actual payload to compare with what your handler expects. Differences in field names, types, or structure are a common source of webhook bugs.

Frequently Asked Questions

What is a webhook tester?

A webhook tester provides a temporary public URL that accepts HTTP POST requests and displays the request headers, body, and metadata in real time. Instead of building and deploying a server to receive webhooks during development, you point your webhook source at the tester URL to inspect the payload format before writing handler code.

How do I test a webhook with this tool?

Copy the generated test URL and paste it as the webhook URL in the third-party service (Stripe dashboard, GitHub repo settings, Shopify admin, etc.). Trigger an action that sends a webhook. The tester receives the request and displays the JSON body and headers so you can see exactly what was sent.

How long does the test URL stay active?

Test URLs are temporary and expire after the session ends or after a fixed period of inactivity. For persistent webhook endpoints during development, use a tunneling tool like ngrok to expose your local server. The webhook tester is best for quick inspection of payload format.

Can I use the webhook tester for production?

No. The webhook tester is for development and debugging only. Production webhooks should be handled by your own server with proper authentication (webhook secret validation), error handling, idempotency, and retry logic. Never use a public test URL for production webhook data.

JSON Webhook Payload Reference

Webhooks deliver JSON POST requests to your endpoint when events occur in external services. Understanding webhook payloads is essential for building integrations with payment processors, CI/CD systems, and SaaS platforms.

Common Webhook Payload Examples

// GitHub Push Event (simplified)
{
  "ref": "refs/heads/main",
  "commits": [
    {
      "id": "abc123",
      "message": "Fix login bug",
      "author": {"name": "Alice", "email": "alice@example.com"}
    }
  ],
  "repository": {"name": "my-app", "full_name": "alice/my-app"}
}

// Stripe Payment Intent Event
{
  "type": "payment_intent.succeeded",
  "data": {
    "object": {
      "id": "pi_abc123",
      "amount": 2000,
      "currency": "usd",
      "status": "succeeded"
    }
  }
}

Webhook Security Best Practices

Practice	Description
Signature verification	Verify HMAC-SHA256 signature in headers
HTTPS only	Never accept webhooks over plain HTTP
Idempotency	Handle duplicate deliveries gracefully
Respond quickly	Return 200 immediately, process async
Log all payloads	Store raw payload for debugging
Retry handling	Services retry on non-2xx responses

Verify Webhook Signature (Node.js)

const crypto = require("crypto");

function verifyWebhook(payload, signature, secret) {
  const hmac = crypto.createHmac("sha256", secret);
  hmac.update(payload, "utf8");
  const digest = "sha256=" + hmac.digest("hex");
  return crypto.timingSafeEqual(
    Buffer.from(digest),
    Buffer.from(signature)
  );
}

// Express middleware
app.post("/webhook", (req, res) => {
  const sig = req.headers["x-hub-signature-256"];
  if (!verifyWebhook(req.rawBody, sig, process.env.WEBHOOK_SECRET)) {
    return res.status(401).send("Invalid signature");
  }
  res.status(200).send("OK");
  processEvent(req.body); // async processing
});

How to Test Webhooks with JSON

Follow these steps to send a test webhook payload and inspect the response from your endpoint.

Get your webhook endpoint URL from your application or service
Determine the expected JSON payload structure your webhook accepts
Enter the URL in the Endpoint field
Select the HTTP method (usually POST for webhooks)
Paste your JSON payload in the body field
Add required headers (e.g., Content-Type: application/json, X-Webhook-Secret)
Click Send and inspect the response status code and body

Example Webhook Payload Structures

// GitHub webhook payload (push event)
{
  "ref": "refs/heads/main",
  "repository": {"name": "my-repo"},
  "commits": [{"id": "abc123", "message": "Fix bug"}],
  "pusher": {"name": "alice"}
}

// Stripe webhook payload (payment_intent.succeeded)
{
  "type": "payment_intent.succeeded",
  "data": {
    "object": {
      "id": "pi_abc123",
      "amount": 2000,
      "currency": "usd",
      "status": "succeeded"
    }
  }
}

Common Webhook HTTP Headers

Most webhook services require specific headers for authentication and content negotiation. Include these when testing to replicate what a real caller would send.

Header	Example Value	Purpose
Content-Type	application/json	Tell server the body is JSON
Authorization	Bearer token123	API authentication
X-Webhook-Secret	sha256=abc123	Webhook signature verification
X-Hub-Signature-256	sha256=...	GitHub webhook signature
Stripe-Signature	t=...,v1=...	Stripe webhook signature
X-Api-Key	your-api-key	Simple API key auth

Explore more tools: All JSON Tools | Validator | Pretty Print | JSON Diff