Go beyond just receiving webhooks. Inspect every HTTP header, examine signature fields, validate content-type, and analyse the raw JSON payload structure — in real-time, for free.

Last updated: March 2026 • 8 min read

Webhook Inspection vs Just Receiving

Receiving a webhook means your endpoint accepted the request and returned a 200. Inspecting means you know exactly what the provider sent: headers, content-type, raw body format, and signature values — before your handler made assumptions about any of it.

The difference matters most when debugging integration failures. If your handler is rejecting events, receiving tells you it happened — inspection tells you why. A missing header, an unexpected content-type, a payload structure that differs from the documentation: none of these are visible without looking at the raw request.

What to Look for When Inspecting a Webhook

Content-Type header — Verify the provider sends application/json. Some providers send application/x-www-form-urlencoded or text/plain. Calling JSON.parse() on a URL-encoded body causes silent failures.
Signature headers — Stripe uses Stripe-Signature, GitHub uses X-Hub-Signature-256, Shopify uses X-Shopify-Hmac-SHA256. One typo in the header name in your verification code fails every event.
HTTP method — Most webhooks use POST, but some providers use GET for URL verification challenges or PUT for update events. Check the method matches your route handler.
Event type field — Many providers include the event type in both a header (X-GitHub-Event) and the body. Confirming both match catches routing bugs before production.

Step-by-Step Inspection Walkthrough

Here's how to perform a complete webhook inspection with Requex.me:

Get your Requex URL: Visit requex.me

Configure your provider: Paste the Requex URL into your webhook provider's endpoint field (Stripe Dashboard → Developers → Webhooks, GitHub repo Settings → Webhooks, etc.).

Trigger a test event: Send a test event from the provider dashboard, or trigger a real event in your app.

Inspect headers: In Requex, click the captured request. View the Headers tab

Examine the payload: In the Body tab, view the raw and formatted JSON. Verify the event type, data structure, and field names match your handler's expectations.

Copy and replay: Copy the raw body and headers. Replay to your local endpoint with cURL to test your handler without triggering additional provider events.

Quick inspection with cURL: send a test webhook from your terminal:

curl -X POST https://requex.me/hook/YOUR-WEBHOOK-ID \
  -H "Content-Type: application/json" \
  -H "X-My-Signature: sha256=abc123..." \
  -H "X-Event-Type: order.created" \
  -d '{"id": 99, "event": "order.created", "amount": 149.00}'

Payload Debugging Checklist (8 Items)

□Content-Type is application/json (not form-encoded or text/plain)
□HTTP method matches your route handler (POST, not GET)
□Signature header name is spelled correctly (exact case matters)
□Event type field exists in the body (not just in headers)
□Payload fields match your handler's deserialization struct/schema
□No unexpected nesting — e.g., data.object.id vs data.id
□Timestamp field is in the format your handler expects (Unix vs ISO8601)
□No extra fields that could cause strict deserialization to fail

How to Inspect Webhook Signatures

Signature verification is the most common source of webhook integration bugs. Use Requex.me to capture the exact signature value your provider sends, then replay it to your local handler:

Stripe-Signature

Format: t=<timestamp>,v1=<hmac>. Stripe computes the HMAC using the raw body and your endpoint secret. Capture the header value and replay with the exact same raw body: no re-parsing.

X-Hub-Signature-256

Format: sha256=<hmac>. Used by GitHub. Inspect the captured header and compare the HMAC value against your local computation using your webhook secret.

# Replay a captured Stripe webhook to your local handler
curl -X POST http://localhost:3000/api/webhooks/stripe \
  -H "Content-Type: application/json" \
  -H "Stripe-Signature: t=1234567890,v1=abc123..." \
  -d '{"id":"evt_xxx","type":"payment_intent.succeeded",...}'

See the full signature verification walkthrough in the webhook security best practices guide.

Frequently Asked Questions

What is webhook inspection?

Webhook inspection is the process of examining every dimension of an incoming HTTP request: headers, body, content-type, HTTP method, and signature headers — to understand exactly what a provider is sending before your handler processes it.

How do I inspect Stripe-Signature or X-Hub-Signature-256?

Capture a real webhook event using Requex.me. In the request detail view, all headers are visible including Stripe-Signature and X-Hub-Signature-256. Copy the header value and the raw JSON body to replay to your local handler with cURL.

Can I inspect webhooks without writing any code?

Yes. Visit requex.me, copy the unique URL, paste it into your webhook provider settings, and trigger an event. The complete HTTP request appears in your browser: no code required.

What is the difference between a webhook tester and a webhook inspector?

A tester confirms a webhook arrives. An inspector goes deeper — examining raw headers, content-type, signature fields, and payload structure to pinpoint integration failures. Requex.me combines both: capture any webhook, then inspect every field in detail. See the free webhook tester page for basic testing.

Related Tools & Guides

Free Webhook Tester

Capture any HTTP request, inspect payloads instantly

Webhook Security Best Practices

Signature verification for Stripe, GitHub, Shopify

Debug Webhook Errors

Fix 400, 500, timeout, and signature failures

Local Webhook Testing

Capture and replay webhooks during local development

Inspect Your First Webhook Now

Free, no signup, no installation. See exactly what your provider is sending.

Open Webhook Inspector →