Requex.me Logo
Requex.me

Free Webhook Inspector — Inspect HTTP Headers & JSON Payload

Go beyond just receiving webhooks. Inspect every HTTP header, examine signature fields, validate content-type, and analyse the raw JSON payload structure — in real-time, for free.

Last updated: March 2026 • 8 min read

Webhook Inspection vs Just Receiving

Receiving a webhook means your endpoint accepted the request and returned a 200. Inspecting a webhook means you know exactly what the provider sent — before your handler made assumptions about it.

Just receiving

  • • ✓ Payload arrived
  • • ✗ Don't know exact headers
  • • ✗ Don't know raw body format
  • • ✗ Can't verify signature values
  • • ✗ Can't compare to documentation

Inspecting with Requex.me

  • • ✓ Full header list, every key-value
  • • ✓ Raw body (JSON, form, XML)
  • • ✓ Signature header values
  • • ✓ Content-Type, User-Agent
  • • ✓ HTTP method, query params

The difference matters most when debugging integration failures. If your handler is rejecting events, the problem is almost always in something you can't see without inspection: a missing header, an unexpected content-type, or a payload structure that differs from the documentation.

What to Look for When Inspecting a Webhook

🔍

Content-Type header

Verify the provider is sending application/json. Some providers send application/x-www-form-urlencoded or text/plain. Your handler must parse accordingly — trying to JSON.parse() a URL-encoded body causes silent failures.

🔐

Signature headers

Stripe uses Stripe-Signature, GitHub uses X-Hub-Signature-256, Shopify uses X-Shopify-Hmac-SHA256. Inspect the exact header name — one typo in your verification code causes all events to fail.

📋

HTTP method

Most webhooks use POST, but some providers use GET (for URL verification challenges) or PUT. Check the method matches what your route handler expects.

Event type field

Many providers include the event type in a header (X-GitHub-Event, X-Shopify-Topic) and also in the body. Confirming both match helps catch routing bugs.

Step-by-Step Inspection Walkthrough

Here's how to perform a complete webhook inspection with Requex.me:

1
Get your Requex URLVisit requex.me — a unique URL is generated instantly. No signup.
2
Configure your providerPaste the Requex URL into your webhook provider's endpoint field (Stripe Dashboard → Developers → Webhooks, GitHub repo Settings → Webhooks, etc.).
3
Trigger a test eventSend a test event from the provider dashboard, or trigger a real event in your app.
4
Inspect headersIn Requex, click the captured request. View the Headers tab — check Content-Type, User-Agent, signature headers, and any custom X- headers.
5
Examine the payloadIn the Body tab, view the raw and formatted JSON. Verify the event type, data structure, and field names match your handler's expectations.
6
Copy and replayCopy the raw body and headers. Replay to your local endpoint with cURL to test your handler without triggering additional provider events.

Quick inspection with cURL — send a test webhook from your terminal:

curl -X POST https://requex.me/hook/YOUR-WEBHOOK-ID \
  -H "Content-Type: application/json" \
  -H "X-My-Signature: sha256=abc123..." \
  -H "X-Event-Type: order.created" \
  -d '{"id": 99, "event": "order.created", "amount": 149.00}'

Payload Debugging Checklist (8 Items)

  • Content-Type is application/json (not form-encoded or text/plain)
  • HTTP method matches your route handler (POST, not GET)
  • Signature header name is spelled correctly (exact case matters)
  • Event type field exists in the body (not just in headers)
  • Payload fields match your handler's deserialization struct/schema
  • No unexpected nesting — e.g., data.object.id vs data.id
  • Timestamp field is in the format your handler expects (Unix vs ISO8601)
  • No extra fields that could cause strict deserialization to fail

How to Inspect Webhook Signatures

Signature verification is the most common source of webhook integration bugs. Use Requex.me to capture the exact signature value your provider sends, then replay it to your local handler:

Stripe-Signature

Format: t=<timestamp>,v1=<hmac>. Stripe computes the HMAC using the raw body and your endpoint secret. Capture the header value and replay with the exact same raw body — no re-parsing.

X-Hub-Signature-256

Format: sha256=<hmac>. Used by GitHub. Inspect the captured header and compare the HMAC value against your local computation using your webhook secret.

# Replay a captured Stripe webhook to your local handler
curl -X POST http://localhost:3000/api/webhooks/stripe \
  -H "Content-Type: application/json" \
  -H "Stripe-Signature: t=1234567890,v1=abc123..." \
  -d '{"id":"evt_xxx","type":"payment_intent.succeeded",...}'

See the full signature verification walkthrough in the webhook security best practices guide.

Frequently Asked Questions

What is webhook inspection?

Webhook inspection is the process of examining every dimension of an incoming HTTP request — headers, body, content-type, HTTP method, and signature headers — to understand exactly what a provider is sending before your handler processes it.

How do I inspect Stripe-Signature or X-Hub-Signature-256?

Capture a real webhook event using Requex.me. In the request detail view, all headers are visible including Stripe-Signature and X-Hub-Signature-256. Copy the header value and the raw JSON body to replay to your local handler with cURL.

Can I inspect webhooks without writing any code?

Yes. Visit requex.me, copy the unique URL, paste it into your webhook provider settings, and trigger an event. The complete HTTP request appears in your browser — no code required.

What is the difference between a webhook tester and a webhook inspector?

A tester confirms a webhook arrives. An inspector goes deeper — examining raw headers, content-type, signature fields, and payload structure to pinpoint integration failures. Requex.me combines both: capture any webhook, then inspect every field in detail. See the free webhook tester page for basic testing.

Related Tools & Guides

Free Webhook Tester

Capture any HTTP request, inspect payloads instantly

Webhook Security Best Practices

Signature verification for Stripe, GitHub, Shopify

Debug Webhook Errors

Fix 400, 500, timeout, and signature failures

Local Webhook Testing

Capture and replay webhooks during local development

Inspect Your First Webhook Now

Free, no signup, no installation. See exactly what your provider is sending.

Open Webhook Inspector →