Security & reliability
Webhook signature inspector
A step-by-step debugger for the HMAC signature scheme. Every delivery — valid or tampered — is logged and broken down so you can see exactly how verification works.
How the signature is computed
- RippleCore joins the delivery timestamp and the raw request body with a dot:
<x-ripplecore-timestamp>.<rawBody>. - It HMAC-SHA256s that string with your endpoint's shared secret and sends the hex digest as
x-ripplecore-signature: sha256=<hex>. - Your receiver recomputes the same digest from the bytes it received and compares in constant time. Any change to the body, secret, or timestamp changes the digest — so a tampered payload can't match.
- The
x-ripplecore-timestampis also checked against a ±300s tolerance to reject replayed deliveries.