Security & reliability

Webhook signature inspector

A step-by-step debugger for the HMAC signature scheme. Every delivery — valid or tampered — is logged and broken down so you can see exactly how verification works.

How the signature is computed

  1. RippleCore joins the delivery timestamp and the raw request body with a dot:<x-ripplecore-timestamp>.<rawBody>.
  2. It HMAC-SHA256s that string with your endpoint's shared secret and sends the hex digest asx-ripplecore-signature: sha256=<hex>.
  3. Your receiver recomputes the same digest from the bytes it received and compares in constant time. Any change to the body, secret, or timestamp changes the digest — so a tampered payload can't match.
  4. The x-ripplecore-timestamp is also checked against a ±300s tolerance to reject replayed deliveries.