Webhook signature verify
POST /api/webhook-verifyVerify a webhook's HMAC signature against the correct per-provider scheme: GitHub (X-Hub-Signature-256, sha256=hex), Stripe (Stripe-Signature t/v1 over "<t>.<body>" with replay tolerance), Shopify (X-Shopify-Hmac-Sha256, base64), Slack (X-Slack-Signature, v0:<ts>:<body> with replay tolerance). Constant-time comparison; the secret is never echoed. Pass the RAW request body string — signatures are over the raw bytes. Deterministic.
Input
| Field | Type | Description |
|---|---|---|
provider * | string | github | stripe | shopify | slack |
payload * | string | the RAW request body string, byte-for-byte as received (never a re-serialized object) |
secret * | string | the provider signing secret (never echoed back) |
signature * | string | the signature header value, with or without its scheme prefix (sha256= / v0= / t=...,v1=...) |
timestamp | string | provider timestamp, required for stripe + slack (stripe may be parsed from a t= element in the signature) |
toleranceSeconds | number | max timestamp age for stripe/slack replay protection (default 300; 0 skips the age check) |
Example output
{
"valid": true,
"provider": "github",
"scheme": "X-Hub-Signature-256: sha256=hex(HMAC-SHA256(secret, rawBody))",
"reason": "signature matches the recomputed HMAC for this payload and secret"
}
Try it — see the 402 challenge (free)
curl -i -X POST https://agent402.tools/api/webhook-verify \
-H "Content-Type: application/json" \
-d '{"provider":"github","payload":"{\"hello\":\"world\"}","secret":"it's a secret","signature":"sha256=8d4063f0a81aa1531d9891a028a68cf2bb537ecdf0e82557674d71e168d570f9"}'
The response is HTTP 402 Payment Required with exact payment requirements. Any x402 v2 client pays automatically and retries:
Paid call (JavaScript agent)
import { wrapFetchWithPayment } from "@x402/fetch";
import { x402Client } from "@x402/core/client";
import { registerExactEvmScheme } from "@x402/evm/exact/client";
import { privateKeyToAccount } from "viem/accounts";
const client = new x402Client();
registerExactEvmScheme(client, { signer: privateKeyToAccount(KEY) });
const payFetch = wrapFetchWithPayment(fetch, client);
const res = await payFetch("https://agent402.tools/api/webhook-verify", {
method: "POST",
headers: { "Content-Type": "application/json" },
body: JSON.stringify({
"provider": "github",
"payload": "{\"hello\":\"world\"}",
"secret": "it's a secret",
"signature": "sha256=8d4063f0a81aa1531d9891a028a68cf2bb537ecdf0e82557674d71e168d570f9"
}),
});
No wallet? Pay with compute
This is a pure-CPU tool, so an agent without a wallet can pay with proof-of-work instead of USDC: fetch a challenge, solve the sha256 puzzle (16 leading zero bits — a fraction of a second of CPU, no money, no AI tokens), and resend with the X-Pow-Solution header.
import { createHash } from "node:crypto";
const lz = (b) => { let t = 0; for (const x of b) { if (!x) { t += 8; continue; } t += Math.clz32(x) - 24; break; } return t; };
const c = await (await fetch("https://agent402.tools/api/pow/challenge?slug=webhook-verify")).json();
let n = 0;
while (lz(createHash("sha256").update(c.challenge + ":" + n).digest()) < c.difficulty) n++;
await fetch("https://agent402.tools/api/webhook-verify", { method: "POST", headers: { "X-Pow-Solution": c.token + ":" + n, "Content-Type": "application/json" }, body: JSON.stringify({"provider":"github","payload":"{\"hello\":\"world\"}","secret":"it's a secret","signature":"sha256=8d4063f0a81aa1531d9891a028a68cf2bb537ecdf0e82557674d71e168d570f9"}) });
Part of these workflows
This tool is one step in a curated multi-tool workflow — agents can fetch the whole sequence as an MCP prompt or call https://agent402.tools/api/skill-packs/{slug}/prompt.
- Webhook secure intake — The production ingest path for every incoming webhook: verify the provider signature (GitHub / Stripe / Shopify / Slack, constant-time, replay-window enforced), schema-validate the now-trusted body against the provider envelope, fingerprint the raw bytes for redelivery dedup, normalize the event timestamp to UTC + epoch, and redact PII before anything hits a log. Five pure-CPU tools — the accept-or-reject gate, run on every event.
Related tools
Email validate
POST /api/email-validateValidate an email address: syntax check plus live MX record lookup on the domain (deliverability signal, not a guarantee…
URL parse
POST /api/url-parseParse a URL into components: protocol, host, port, path, query params (decoded), hash, origin, punycode hostname.
IP info
POST /api/ip-infoClassify an IP address: version, public/private/loopback/link-local, integer form, and reverse-DNS (PTR) lookup.