Docs · Playground

Webhook signature playground

Paste the request body and the X-Anyshop-Signatureheader value, plus the webhook's signing secret. We verify with HMAC-SHA256 in your browser (the secret never crosses the wire) and tell you exactly why it does or doesn't match.

Signing secret (whsec_…)X-Anyshop-Signature headerRaw request body

How signatures work

Header format: t=<unix-secs>,v1=<hex>. v1 is HMAC_SHA256(secret, t + "." + raw_body).toHex(). Verify by recomputing the HMAC on your side and constant-time-comparing to the v1 value. Reject events older than ~5 minutes to prevent replay (the platform sends roughly that fast).