Verify GitHub Webhook Signature
Verify GitHub webhook signatures using SHA-256 HMAC. Get clear error messages when something's wrong.
🔒 Your webhook secret never leaves your browser. All verification happens client-side.
Find this in your GitHub repo → Settings → Webhooks
Common Questions
Where do I find my GitHub webhook secret?
Go to your GitHub repository → Settings → Webhooks → Click on your webhook → "Secret" field. This is the plain text secret you entered when creating the webhook.
Should I use SHA-1 or SHA-256?
Always use SHA-256 (X-Hub-Signature-256 header) for new webhooks. SHA-1 is deprecated and less secure.
Why does verification fail in my code but works here?
Your framework might be parsing the JSON body before verification. GitHub signatures must be verified against the exact raw bytes received, not the parsed object.