HMAC tester
Generates a valid X-Envara-Signature header for any request body. Everything runs locally in your browser using the Web Crypto API — your webhook secret never leaves this page.
Timestamp: 1783894099
How it works
- We compute
HMAC-SHA256(webhook_secret, raw_body)and hex-encode it. - Send the result as
X-Envara-Signature: sha256=<hex>. - Send
X-Envara-Timestamp(Unix seconds) alongside — must be within ±5 minutes of server time. - Body must be byte-for-byte identical to what was signed. Don't re-serialize JSON between signing and sending.
