UseToolSuite UseToolSuite

Webhook Tester

Build, validate, and format webhook payloads for testing integrations. Create sample payloads for GitHub, Stripe, Slack, and custom webhooks — all in your browser.

Last updated

Webhook Tester is a free, browser-based tool from UseToolSuite's Network & API Tools collection. All processing happens locally on your device — your data is never uploaded to any server. Use the tool below, then scroll down for detailed documentation, frequently asked questions, and related resources.

Advertisement

What is Webhook Tester?

Webhook Tester is a free tool for building, validating, and formatting webhook payloads. It includes templates for popular services like GitHub, Stripe, and Slack, so you can quickly generate realistic test payloads. The tool validates JSON syntax, calculates payload size, and formats the output for readability — all in your browser with no server required.

When to use it?

Use Webhook Tester when developing webhook receivers, testing integration endpoints, or creating sample payloads for documentation. It is especially useful during the development phase when you need realistic test data without triggering actual events in third-party services like GitHub or Stripe.

Common use cases

Developers use this tool to construct webhook payloads for local testing with tools like ngrok, validate JSON payload structure before sending to production endpoints, generate sample payloads for API documentation and README files, format and inspect webhook payloads captured from logs, and verify payload sizes stay within receiver limits.

A webhook receiver is a security boundary, not just an endpoint

Anyone who learns your webhook URL can POST to it. That makes three properties non-negotiable on the receiving side — build the payload here, but design the handler around these:

  1. Authenticity — verify the provider’s signature so you only act on payloads they actually sent.
  2. Idempotency — the same event will arrive more than once; processing it twice must not double-charge, double-ship, or double-email.
  3. Freshness — reject payloads old enough to be a replay of a captured request.

Verifying signatures correctly

The mechanics are simple and easy to get subtly wrong:

  • Use the raw body. (See the FAQ above — this is the single most common failure.)
  • Compare in constant time. A naive == on signature strings leaks timing information that can be exploited to forge a signature byte by byte. Use a timing-safe comparison: crypto.timingSafeEqual in Node, hmac.compare_digest in Python.
  • Check the timestamp. Stripe-style schemes sign timestamp.payload and include the timestamp in the header. Reject anything outside a tolerance window (five minutes is typical) so a captured request can’t be replayed tomorrow.

Designing for duplicates

Every major provider documents at-least-once delivery — duplicates are a feature of reliability, not a bug. The defence is an idempotency key. Each event carries a stable id (evt_… from Stripe, the X-GitHub-Delivery UUID from GitHub). Record processed ids in a table with a unique constraint; if an insert collides, you’ve seen this event before — acknowledge with 2xx and do nothing else. This single table turns “we got charged twice during a provider retry storm” into a non-event.

Test the payload here, then test the transport

This builder validates and formats the JSON body so you can confirm shape and field names against a provider’s schema before you wire anything up. To exercise the full round trip, copy the generated payload and POST it to your endpoint — the cURL to Code tool will turn a curl -X POST into a snippet in your language. One caveat: a payload you build here won’t carry a valid provider signature, so point your handler’s signature check at test mode (or temporarily log-and-skip) when replaying hand-built payloads, and reserve real signature verification for traffic that genuinely came from the provider.

How helpful was this tool?

Click to rate

Advertisement

Key Concepts

Essential terms and definitions related to Webhook Tester.

Webhook

An HTTP callback that sends real-time data from one application to another when a specific event occurs. Unlike APIs where you poll for data, webhooks push data to your endpoint automatically. Common uses include payment notifications (Stripe), repository events (GitHub), and messaging integrations (Slack).

Payload

The body of data sent in a webhook HTTP request, typically formatted as JSON. The payload contains the event details — for example, a GitHub push webhook payload includes the commit messages, author information, repository details, and the list of changed files.

HMAC Signature

A cryptographic signature (Hash-based Message Authentication Code) used to verify that a webhook payload was sent by the expected service and was not tampered with in transit. The sender computes HMAC-SHA256 of the payload using a shared secret, and the receiver recomputes it to verify authenticity.

Frequently Asked Questions

Does this tool receive actual webhook requests?

No. This is a client-side payload builder and validator. It helps you construct, format, and validate webhook payloads before sending them to your application for testing. For receiving live webhooks, you would need a server-side endpoint or a service like webhook.site.

What webhook templates are available?

The tool includes templates for common services: GitHub (push, pull request, issue events), Stripe (payment, subscription events), Slack (message, interactive events), and a generic JSON webhook template. You can also create fully custom payloads.

Can I validate that my payload matches a specific schema?

The tool validates JSON syntax and structure. It checks that your payload is valid JSON, displays it formatted for readability, and highlights any syntax errors. For schema-specific validation, you would use the JSON Schema Generator tool in combination.

How do I use the generated payload for testing?

Copy the generated payload and use it with cURL, Postman, or any HTTP client to send a POST request to your webhook endpoint. The cURL to Code tool can help you generate the exact request code in your preferred language.

Why must I verify signatures against the raw request body, not the parsed JSON?

Providers like Stripe and GitHub compute the HMAC signature over the exact bytes they sent. The moment you parse JSON and re-serialise it, key order, whitespace, and number formatting can change — and the recomputed HMAC no longer matches, even though the data is identical. Always capture the raw body before any JSON middleware touches it (in Express, that means a raw body parser on the webhook route), verify the signature against those bytes, and only then parse.

How should my endpoint respond so the provider doesn't keep retrying?

Return a 2xx status (usually 200 or 204) as fast as possible — ideally within a couple of seconds. Most providers treat any non-2xx, or a timeout, as failure and retry with backoff, which means slow processing causes duplicate deliveries. The pattern that scales: acknowledge immediately with 2xx, enqueue the event to a background worker, and do the heavy lifting (DB writes, emails, third-party calls) off the request path.

Troubleshooting & Technical Tips

Common errors developers encounter and how to resolve them.

Invalid JSON syntax in payload

Common JSON errors include trailing commas after the last property, single quotes instead of double quotes, unquoted property names, and missing commas between properties. The tool highlights the exact location of syntax errors to help you fix them.

Webhook signature verification fails

Many services (GitHub, Stripe) sign webhook payloads with HMAC-SHA256. The signature depends on the exact byte content of the payload — even whitespace changes will produce a different signature. When testing, ensure you use the raw (non-prettified) payload for signature computation.

Payload too large or deeply nested

Most webhook receivers have payload size limits (typically 5-25 KB). If your test payload is very large or deeply nested, it may be rejected. Keep test payloads realistic and within the size limits specified by the receiving service.

Related Guides

In-depth articles covering the concepts behind Webhook Tester.

Advertisement

Related Tools