Paste a Space Duck webhook payload, the HMAC-SHA256 signature header, and your shared webhook secret. The tool recomputes the signature using crypto.subtle and compares it against the received header.
Everything runs in your browser โ no data is sent anywhere.
Verify a signature
Computed (HMAC-SHA256)
โ
Received (from header)
โ
Reference code
Use these snippets to implement Space Duck webhook signature verification in your own receiver.
import hmac, hashlib
def verify_signature(payload_body: bytes, secret: str, header: str) -> bool:
"""Verify a Space Duck webhook HMAC-SHA256 signature."""
if not header.startswith("sha256="):
return False
expected = "sha256=" + hmac.new(
secret.encode("utf-8"),
payload_body,
hashlib.sha256
).hexdigest()
# Constant-time comparison to prevent timing attacks
return hmac.compare_digest(expected, header)
# Example usage in Flask
from flask import Flask, request, abort
app = Flask(__name__)
@app.route("/webhook", methods=["POST"])
def webhook():
sig = request.headers.get("X-Space-Duck-Signature", "")
if not verify_signature(request.get_data(), "your-webhook-secret", sig):
abort(403)
event = request.json
print("Verified event:", event.get("event"))
return "", 200