paste your failing webhook payload, secret, and signature header. plain-english answer in 5 seconds — why it failed, not just that it failed. stripe, github, slack, shopify. free. no signup.
we recompute the expected signature against your raw body + secret, compare it to what you received, and tell you what's wrong in human terms.
each provider signs webhooks with HMAC-SHA256 over a known input. stripesig knows all four schemes and tells you which step in the chain broke.
signs "{t}.{body}". hex-encoded as the v1 field of Stripe-Signature.
signs the raw body. hex-encoded in X-Hub-Signature-256 as sha256=....
signs "v0:{ts}:{body}". hex-encoded in X-Slack-Signature as v0=....
signs the raw body. base64-encoded in X-Shopify-Hmac-SHA256.
same diagnostic, callable from your terminal or your CI. returns { valid, provider, reason, hints[], details }. rate-limited 60/min/IP. free for now.
curl -X POST https://stripesig.apimesh.xyz/check -H "content-type: application/json" -d '{ "provider": "stripe", "secret": "whsec_...", "raw_body": "{\"id\":\"evt_...\"}", "headers": { "stripe-signature": "t=1577836800,v1=..." } }'
each /check request is processed in-memory and discarded. CORS allows direct browser calls — your secret never leaves your machine if you call the API client-side.
stripesig is one wedge in apimesh — single-purpose dev tools, one specific pain each. its own subdomain, its own demo, no signup wall.
replay attempts, history, more providers, team views. drop your email if that sounds useful — i'll only message you when it's actually live.