Skip to main content
Back to Dev generators

Dev

Mock Webhook Signature Generator

Used by developers, writers, and creators worldwide.

A mock webhook signature generator produces example signed webhook headers for testing signature verification. Many services sign their webhooks so you can confirm a request genuinely came from them and was not tampered with, using a timestamp and an HMAC signature. This tool emits realistic signature headers in the common format, with a note on how verification works. Click generate and copy them into a test. It is ideal for testing a webhook verifier, documenting your webhook scheme, and learning how signing works. The headers follow the typical pattern — a timestamp, a signature combining that timestamp and a hash, and an event id. The signature here is random, so it will not verify, which is the point: it lets you test that your verifier correctly rejects an invalid signature. To test the success path, compute a real HMAC with your signing secret.

Loading usage…

Free forever — no account required

How to use

  1. Choose your options above
  2. Click Generate
  3. Copy your result

Detailed instructions

  1. Click Generate to produce signature headers.
  2. Copy them into your test.
  3. Test that your verifier rejects them.
  4. Compute a real HMAC to test success.

Use Cases

  • Testing webhook signature verification
  • Documenting a webhook scheme
  • Learning how webhooks are signed
  • Seeding signature headers
  • Testing rejection of bad signatures

Tips

  • Always verify incoming webhooks.
  • HMAC covers timestamp and body.
  • The timestamp guards against replays.
  • This signature will not verify by design.

FAQ

why are webhooks signed

Signing lets you verify that a webhook genuinely came from the expected sender and was not tampered with in transit. The sender computes a signature using a shared secret, and you recompute it on your end to confirm the request is authentic.

how does signature verification work

You compute an HMAC — typically SHA-256 — over the timestamp and raw request body using your signing secret, then compare it to the signature in the header. If they match, the request is authentic; if not, you reject it. The timestamp also guards against replays.

will this signature verify

No — it is random, so it will fail verification, which is intentional. Use it to test that your verifier correctly rejects invalid signatures. For the success path, compute a real HMAC with your actual signing secret over the matching payload.