Webhook Secret Generator
Generate cryptographically strong webhook secrets for HMAC verification. Works with Stripe, GitHub, Clerk, Twilio, Shopify, and more.
Provider Support Chart
| Provider | Recommended Format | Recommended Length |
|---|---|---|
| 💳 Stripe | Hex | 32 bytes |
| 🐙 GitHub | Any (Hex common) | 32+ bytes |
| 🔐 Clerk | Hex | 32 bytes |
| 📞 Twilio | Hex | 32 bytes |
| 🛍️ Shopify | Hex | 32 bytes |
| 🅿️ PayPal | Base64 | 32+ bytes |
| 💬 Slack | Hex | 32 bytes |
| 📧 SendGrid | Hex | 32 bytes |
About Webhook Secret Generator
A webhook secret is a shared cryptographic key used to verify that incoming webhook requests genuinely originate from a trusted source. When a provider (such as Stripe or GitHub) sends an HTTP POST request to your endpoint, they compute an HMAC (Hash-based Message Authentication Code) signature over the request body using the secret and include it in a request header. Your server recomputes the same HMAC and compares it to the header value — if they match, the payload is authentic and has not been tampered with.
Without a webhook secret, any attacker who knows your endpoint URL can send forged requests and trigger unintended actions. Using a strong, random secret — generated with a cryptographically secure random number generator — ensures the signature cannot be guessed or brute-forced.
How to Use Webhook Secret Generator
- Select the output format — Hex is widely supported and human-readable; Base64 is compact; URL-safe Base64 avoids characters that break query strings.
- Choose a byte length using one of the preset buttons (32, 64, 128) or drag the slider to set a custom length. More bytes means a stronger secret.
- The secret is generated instantly in your browser using
crypto.getRandomValues()— no data is sent to any server. - Click Regenerate any time to create a brand-new secret.
- Click Copy and paste the secret into your webhook provider's dashboard and your server's environment variables (e.g.
WEBHOOK_SECRET=...). - Consult the Provider Support Chart above to confirm the correct format and length for your specific provider.
FAQ
What is a webhook secret?
A webhook secret is a random string shared between you and a webhook provider. The provider uses it to sign each request with HMAC, and your server uses it to verify the signature, confirming the request is genuine and unmodified.
What is the difference between Hex and Base64?
Both formats encode the same underlying random bytes. Hex uses only characters 0–9 and a–f, producing a string twice as long as the byte count. Base64 uses A–Z, a–z, 0–9, +, and /, producing a string roughly 1.33× the byte count. URL-safe Base64 replaces + with - and / with _ to avoid conflicts in URLs and HTTP headers. Choose the format your provider specifies; if unspecified, Hex is the safest default.
How long should a webhook secret be?
A minimum of 32 bytes (256 bits) is recommended for HMAC-SHA256, which is the most common webhook signing algorithm. 64 bytes provides a comfortable security margin beyond current cryptanalytic capabilities. There is little practical reason to go beyond 128 bytes — HMAC already extracts entropy up to its block size.
Is it safe to generate secrets in the browser?
Yes. This tool uses crypto.getRandomValues(), which is backed by the operating system's CSPRNG (Cryptographically Secure Pseudo-Random Number Generator) — the same source used by native security tools. No data is transmitted to any server; everything happens locally in your browser tab.
How do I rotate a webhook secret?
Generate a new secret here, update your environment variable or secret manager, and then update the secret in your provider's dashboard. Most providers (e.g. Stripe) support a brief overlap window where both old and new secrets are accepted, which allows you to deploy the server-side change without downtime. Once the rollout is complete, remove the old secret from the provider and your configuration.
Can I use the same secret for multiple providers?
It is strongly recommended to use a unique secret for each provider and each environment (development, staging, production). Reusing secrets means a compromise at one provider or in one environment exposes all others. Generate a fresh secret for every integration.