Generador de secreto webhook

Genera secretos webhook aleatorios y seguros para verificacion HMAC, callbacks de API y autenticacion entre servicios.

Solo en el navegador

Generador de secreto webhook

Crea secretos privados para verificar firmas de webhook, autenticar callbacks y validar servicios internos.

Fuerza del secreto

El valor recomendado para sistemas de produccion.

Formato de salida

Legible y facil de guardar en variables de entorno.

Modo de prefijo

Un valor por defecto practico para la mayoria de integraciones.

Secreto

La generacion aleatoria segura no esta disponible en este navegador.

Formato .env

WEBHOOK_SECRET=
Guarda el valor en una variable de entorno o en un gestor de secretos.

Que es un secreto webhook?

What Is a Webhook Secret?

A webhook secret is a private random value shared between the sender and the receiver. It is commonly used to generate or verify an HMAC signature so the receiver can confirm that the request is authentic and has not been modified.

Why Webhook Secrets Matter

Webhook secrets help protect against fake requests, payload tampering, unauthorized event injection, and accidental exposure of unauthenticated endpoints.

How Webhook Signature Verification Works

  1. 1The sender creates a signature from the raw request body and the shared secret.
  2. 2The sender includes the signature in an HTTP header.
  3. 3The receiver reads the raw request body.
  4. 4The receiver creates its own signature with the same secret.
  5. 5The receiver compares both signatures with a constant-time check.
  6. 6If they match, the request is accepted.
  7. 7If they do not match, the request is rejected.

Always verify the signature using the raw request body before parsing JSON.

Recommended Secret Length

For most production webhook integrations, use at least 32 random bytes. This tool uses 48 random bytes by default for a stronger safety margin.

Webhook Secret vs API Key

ItemWebhook SecretAPI Key
Main purposeVerify incoming webhook payloadsAuthenticate API requests
DirectionSender to receiverClient to API
Common usageHMAC signature verificationAPI access control
Should it be public?NoNo
Where to store it?Environment variables or secret managerEnvironment variables or secret manager

Webhook Security Best Practices

  • Always verify the raw request body.
  • Do not parse JSON before signature verification.
  • Use constant-time comparison.
  • Reject requests with missing signatures.
  • Reject requests with invalid signatures.
  • Use HTTPS.
  • Rotate secrets if they are exposed.
  • Store secrets in environment variables or a secret manager.
  • Never commit secrets to a repository.
  • Use provider-specific rules for services like Stripe, GitHub, Slack, Shopify, or Discord.

Common Implementation Mistakes

  • Verifying a parsed object instead of the raw body.
  • Using a short or guessable secret.
  • Logging the secret or copying it into analytics.
  • Accepting missing signatures.
  • Reusing the same secret everywhere.

Frequently Asked Questions

What is a webhook secret?

A webhook secret is a private random value used to verify that a webhook request came from a trusted sender. It is usually used with HMAC signatures.

Is this webhook secret generated securely?

Yes. The tool uses the browser Web Crypto API to generate cryptographically secure random bytes.

Is the generated secret sent to a server?

No. The secret is generated locally in the browser and is never sent to a server by this tool.

What length should I use?

Use at least 32 random bytes for production. The default in this tool is 48 bytes.

Should I use hex or base64url?

Hex is easy to read and store in environment variables. Base64url is shorter and URL-safe. Hex is the default here for simplicity.

Can I commit the webhook secret to Git?

No. Store webhook secrets in environment variables, deployment platform secrets, or a secret manager.

Is a webhook secret the same as an API key?

No. An API key is usually used by a client to access an API. A webhook secret is usually used by a receiver to verify that an incoming webhook request is authentic.

Ver todos los generadores

Abre la pagina completa para comparar herramientas y cambiar a otra.

Abrir herramientas

Seguridad

Solo en el navegador

La generacion y la exportacion se quedan en el navegador.

Sin subidas

Tu entrada nunca se envia a un servidor.

Sin almacenamiento

Al recargar se limpian la entrada y la salida.