HMAC tester

Generates a valid X-Envara-Signature header for any request body. Everything runs locally in your browser using the Web Crypto API — your webhook secret never leaves this page.

Timestamp: 1783894099

How it works

  1. We compute HMAC-SHA256(webhook_secret, raw_body) and hex-encode it.
  2. Send the result as X-Envara-Signature: sha256=<hex>.
  3. Send X-Envara-Timestamp (Unix seconds) alongside — must be within ±5 minutes of server time.
  4. Body must be byte-for-byte identical to what was signed. Don't re-serialize JSON between signing and sending.