Dashboard Test Webhooks
Use the dashboard Send button to fire manual requests or realistic provider webhook templates with correct signatures. Verify your handler end-to-end without deploying or configuring an external service.
Updated May 2026
Open the sender
- Open an endpoint in the dashboard.
- Click Send in the URL bar.
- Select either manual mode or a provider template mode.
- Send the request and inspect the captured result in the request list.
Manual mode
Manual mode lets you choose method, path, headers, and body. Use this when you need a custom request shape or when you are debugging a non-standard sender.
Method: POST
Path: /stripe/webhook
Headers:
Content-Type: application/json
Body:
{"event":"test.manual"}
Provider template mode
Provider templates generate realistic payload structure and signature headers so you can test verification logic, not just transport. Captured template requests are also auto-detected in the request list, so you can immediately see the provider icon and event/topic badge.
| Provider | Presets | Content-Type | Signature header |
|---|---|---|---|
| Stripe | payment_intent.succeeded, checkout.session.completed, invoice.paid | application/json | stripe-signature (HMAC SHA-256 over timestamp.payload) |
| GitHub | push, pull_request.opened, ping | application/json | x-hub-signature-256 (HMAC SHA-256 over raw body) |
| Shopify | orders/create, orders/paid, products/update, app/uninstalled | application/json | x-shopify-hmac-sha256 (Base64 HMAC SHA-256 over raw body) |
| Twilio | messaging.inbound, messaging.status_callback, voice.incoming_call | application/x-www-form-urlencoded | x-twilio-signature (Base64 HMAC SHA-1 over URL + sorted params) |
| Slack | event_callback, slash_command, url_verification | application/json | x-slack-signature (HMAC SHA-256 over v0:timestamp:body) |
| Paddle | transaction.completed, subscription.created, subscription.updated | application/json | paddle-signature (HMAC SHA-256 over timestamp:body) |
| Linear | issue.create, issue.update, comment.create | application/json | linear-signature (HMAC SHA-256 over raw body) |
| SendGrid | delivered, open, bounce, spam_report | application/json | None (unsigned) |
| Clerk | user.created, user.updated, user.deleted, session.created | application/json | webhook-signature (Standard Webhooks / Svix signing) |
| Discord | interaction_create, message_component, ping | application/json | None (unsigned template; Ed25519 verification available separately) |
| Vercel | deployment.created, deployment.succeeded, deployment.error | application/json | x-vercel-signature (HMAC SHA-1 over raw body) |
| GitLab | push, merge_request | application/json | x-gitlab-token (raw token comparison) |
| Typeform | form_response, partial_response, payment | application/json | typeform-signature (sha256= Base64 HMAC SHA-256 over raw body) |
| Standard Webhooks | No presets — user-provided body | application/json | webhook-id + webhook-timestamp + webhook-signature (v1, Base64 HMAC SHA-256 over msgId.timestamp.body) |
| Meta | whatsapp.messages, page.messages, instagram.comments | application/json | x-hub-signature-256 (sha256= HMAC SHA-256 over raw body, keyed by app secret) |
| Lemon Squeezy | order_created, subscription_created, subscription_payment_success | application/json | x-signature (hex HMAC SHA-256 over raw body) |
| Coinbase Commerce | charge:confirmed, charge:failed, charge:pending | application/json | x-cc-webhook-signature (hex HMAC SHA-256 over raw body) |
| Razorpay | payment.captured, payment.failed, order.paid | application/json | x-razorpay-signature (hex HMAC SHA-256 over raw body) |
| Cal.com | BOOKING_CREATED, BOOKING_CANCELLED, BOOKING_RESCHEDULED | application/json | x-cal-signature-256 (hex HMAC SHA-256 over raw body) |
| Intercom | conversation.user.created, conversation.admin.replied, contact.created | application/json | x-hub-signature (sha1= hex HMAC SHA-1 over raw body, keyed by client secret) |
| Telegram | message, callback_query, edited_message | application/json | x-telegram-bot-api-secret-token (raw token comparison) |
| Square | payment.created, payment.updated, refund.created | application/json | x-square-hmacsha256-signature (Base64 HMAC SHA-256 over notification URL + raw body) |
| HubSpot | contact.creation, contact.propertyChange, deal.creation | application/json | x-hubspot-signature-v3 (Base64 HMAC SHA-256 over method + URI + body + timestamp) |
| Mailgun | delivered, failed, opened | application/json | None — signs body fields signature.{timestamp,token,signature} (hex HMAC SHA-256) |
| Calendly | invitee.created, invitee.canceled, routing_form_submission.created | application/json | calendly-webhook-signature (t=...,v1=... hex HMAC SHA-256 over timestamp.body) |
| Mux | video.asset.created, video.asset.ready, video.upload.asset_created | application/json | mux-signature (t=...,v1=... hex HMAC SHA-256 over timestamp.body) |
| Sentry | issue.created, issue.resolved, error.created | application/json | sentry-hook-signature (hex HMAC SHA-256 over raw body) |
| Bitbucket | repo:push, pullrequest:created, pullrequest:fulfilled | application/json | x-hub-signature (sha256= hex HMAC SHA-256 over raw body) |
Send the same template from code
Use the SDK when you want the same provider-shaped request in tests:
import { WebhooksCC, matchHeader } from "@webhooks-cc/sdk";
const client = new WebhooksCC({ apiKey: process.env.WHK_API_KEY! });
const endpoint = await client.endpoints.create({ name: "typeform-demo" });
await client.endpoints.sendTemplate(endpoint.slug, {
provider: "typeform",
template: "form_response",
secret: "typeform_test_secret",
});
const request = await client.requests.waitFor(endpoint.slug, {
timeout: "10s",
match: matchHeader("typeform-signature"),
});
console.log(request.headers["typeform-signature"]);Mock webhook secret and event override
Enter your provider signing secret in Mock webhook secret. The sender signs the generated payload with that secret and sets the provider-specific signature header.
Leave Event/topic override empty to use the preset default. Use override only when you need to test a specific event name.
Twilio signatures are computed from URL + sorted form params. If you override a Twilio body as a string, provide URL-encoded key/value pairs (not raw JSON).
Verification checklist
- Verify your server reads the raw request body before parsing JSON.
- Verify signature checks fail if you change the secret.
- Verify your handler branches on provider event/topic correctly.
- Verify Twilio handlers parse form-encoded payloads.