webhooks.cc now sends signed test payloads, detects providers, and verifies signatures for 28 webhook providers. This release adds 14, across payments, CRM, scheduling, and developer tools.
The new providers: Square, HubSpot, Mailgun, Calendly, Mux, Sentry, Bitbucket, Meta, Lemon Squeezy, Coinbase Commerce, Razorpay, Cal.com, Intercom, and Telegram.
What support means
Every provider in the catalog gets three things:
- Signed test templates. Generate a realistic payload with a valid signature header and send it to any endpoint. You don't need a real provider account.
- Auto-detection. Captured requests show the provider and event in the request list, so a Stripe charge reads differently from a HubSpot contact at a glance.
- Signature verification. Check a captured request in the dashboard, from the SDK, or automatically on every request.
The 14 new providers
Each one uses its real signing scheme, so a signature that verifies here verifies in production.
| Provider | Signature header | Scheme |
|---|---|---|
| Square | x-square-hmacsha256-signature | HMAC-SHA256 over the notification URL + body |
| HubSpot | x-hubspot-signature-v3 | HMAC-SHA256 over method + URL + body + timestamp |
| Mailgun | (body fields) | HMAC-SHA256 over timestamp + token |
| Calendly | calendly-webhook-signature | HMAC-SHA256, t=…,v1=… |
| Mux | mux-signature | HMAC-SHA256, t=…,v1=… |
| Sentry | sentry-hook-signature | HMAC-SHA256 over the body |
| Bitbucket | x-hub-signature | HMAC-SHA256, sha256= |
| Meta | x-hub-signature-256 | HMAC-SHA256, sha256=, keyed by the app secret |
| Lemon Squeezy | x-signature | HMAC-SHA256 hex |
| Coinbase Commerce | x-cc-webhook-signature | HMAC-SHA256 hex |
| Razorpay | x-razorpay-signature | HMAC-SHA256 hex |
| Cal.com | x-cal-signature-256 | HMAC-SHA256 hex |
| Intercom | x-hub-signature | HMAC-SHA1, sha1= |
| Telegram | x-telegram-bot-api-secret-token | Shared secret token |
That brings the catalog to 28 providers: all 28 generate templates, and 27 verify signatures. SendGrid stays template-only — it has no shared-secret scheme to check.
Send a signed test webhook
Pick a provider and template, pass your signing secret, and webhooks.cc signs the payload:
import { WebhooksCC } from "@webhooks-cc/sdk";
const client = new WebhooksCC({ apiKey: process.env.WHK_API_KEY! });
const endpoint = await client.endpoints.create({ expiresIn: "1h" });
await client.endpoints.sendTemplate(endpoint.slug, {
provider: "hubspot",
template: "contact.creation",
secret: process.env.HUBSPOT_CLIENT_SECRET!,
});The dashboard's Send button offers the same templates. From an AI agent, the MCP send_webhook tool takes the same provider, template, and secret.
Verify a signature
Set a signing provider and secret on the endpoint, and webhooks.cc verifies every incoming request for you — each capture shows a verified or failed badge. To check one by hand, open the Signature tab and paste the secret.
In code, verifySignature dispatches by provider:
import { verifySignature } from "@webhooks-cc/sdk";
const result = await verifySignature(request, {
provider: "sentry",
secret: process.env.SENTRY_CLIENT_SECRET!,
});
console.log(result.valid);Two providers need the request URL
Square signs the notification URL together with the body, and HubSpot v3 signs the method, URL, body, and timestamp. Pass the URL — and the method for HubSpot — so the check matches what the provider signed:
await verifySignature(request, {
provider: "square",
secret: process.env.SQUARE_SIGNATURE_KEY!,
url: "https://api.example.com/webhooks/square",
});
await verifySignature(request, {
provider: "hubspot",
secret: process.env.HUBSPOT_CLIENT_SECRET!,
url: "https://api.example.com/webhooks/hubspot",
method: "POST",
});The dashboard and the receiver already know the URL a webhook arrived on, so automatic verification and the Signature tab handle Square and HubSpot without extra input. You only pass the URL when you call verifySignature yourself.
A few quirks worth knowing
- Mailgun sends no signature header. It puts
timestamp,token, andsignaturein the request body, and the verifier reads them from there. - Bitbucket and Intercom both use
x-hub-signature. Bitbucket also sendsx-event-key, so detection keys on that header to tell the two apart. - HubSpot rejects timestamps older than five minutes, so a replayed request fails verification even with the right secret.
Where to go next
Provider templates
Every provider, its templates, and the header each one signs.
Verify webhook signatures
Verify captures in the dashboard or in code, provider by provider.