Browser-only
Generation and export both stay in the browser.
Webhook Secret Generator
Generate secure random webhook secrets for HMAC verification, API callbacks, and service-to-service authentication.
Webhook Secret Generator
Create private secrets for webhook signature verification, callback authentication, and internal service validation.
The recommended default for production systems.
Readable and easy to store in environment variables.
A practical default for most webhook integrations.
Secret
Secure random generation is not available in this browser..env format
WEBHOOK_SECRET=Store the value in an environment variable or secret manager.
What Is a Webhook Secret?
What Is a Webhook Secret?
A webhook secret is a private random value shared between the sender and the receiver. It is commonly used to generate or verify an HMAC signature so the receiver can confirm that the request is authentic and has not been modified.
Why Webhook Secrets Matter
Webhook secrets help protect against fake requests, payload tampering, unauthorized event injection, and accidental exposure of unauthenticated endpoints.
How Webhook Signature Verification Works
- 1The sender creates a signature from the raw request body and the shared secret.
- 2The sender includes the signature in an HTTP header.
- 3The receiver reads the raw request body.
- 4The receiver creates its own signature with the same secret.
- 5The receiver compares both signatures with a constant-time check.
- 6If they match, the request is accepted.
- 7If they do not match, the request is rejected.
Always verify the signature using the raw request body before parsing JSON.
Recommended Secret Length
For most production webhook integrations, use at least 32 random bytes. This tool uses 48 random bytes by default for a stronger safety margin.
Webhook Secret vs API Key
| Item | Webhook Secret | API Key |
|---|---|---|
| Main purpose | Verify incoming webhook payloads | Authenticate API requests |
| Direction | Sender to receiver | Client to API |
| Common usage | HMAC signature verification | API access control |
| Should it be public? | No | No |
| Where to store it? | Environment variables or secret manager | Environment variables or secret manager |
Webhook Security Best Practices
- Always verify the raw request body.
- Do not parse JSON before signature verification.
- Use constant-time comparison.
- Reject requests with missing signatures.
- Reject requests with invalid signatures.
- Use HTTPS.
- Rotate secrets if they are exposed.
- Store secrets in environment variables or a secret manager.
- Never commit secrets to a repository.
- Use provider-specific rules for services like Stripe, GitHub, Slack, Shopify, or Discord.
Common Implementation Mistakes
- Verifying a parsed object instead of the raw body.
- Using a short or guessable secret.
- Logging the secret or copying it into analytics.
- Accepting missing signatures.
- Reusing the same secret everywhere.
FAQ
What is a webhook secret?
A webhook secret is a private random value used to verify that a webhook request came from a trusted sender. It is usually used with HMAC signatures.
Is this webhook secret generated securely?
Yes. The tool uses the browser Web Crypto API to generate cryptographically secure random bytes.
Is the generated secret sent to a server?
No. The secret is generated locally in the browser and is never sent to a server by this tool.
What length should I use?
Use at least 32 random bytes for production. The default in this tool is 48 bytes.
Should I use hex or base64url?
Hex is easy to read and store in environment variables. Base64url is shorter and URL-safe. Hex is the default here for simplicity.
Can I commit the webhook secret to Git?
No. Store webhook secrets in environment variables, deployment platform secrets, or a secret manager.
Is a webhook secret the same as an API key?
No. An API key is usually used by a client to access an API. A webhook secret is usually used by a receiver to verify that an incoming webhook request is authentic.
Browse all generators
Open the full generators page to compare tools and switch to another one.
Safety
No upload
Your input is never sent to a server.
No storage
Reloading clears the input and output.