Request
Headers
Body
HMAC Signature — optional
Response
Send a request to see the response
Ctrl+Enter / ⌘+Enter
CORS note — Browsers block cross-origin requests unless the target server sends CORS headers. For echo testing, use webhook.site or requestbin.com as the destination — both return full request details with CORS enabled.
Your own API — Works directly if your server sets Access-Control-Allow-Origin: *.
About
The Webhook Tester lets you craft and send HTTP requests — choosing from POST, GET, PUT, PATCH, or DELETE — with full control over headers and a JSON request body, then inspect the status code, response headers, and response body without leaving your browser. Three realistic payload templates are pre-loaded: a GitHub Push event, a Stripe payment_intent.succeeded event, and a Slack Events API callback. Load any template and customise it to match your exact use case in seconds. For webhook providers that require signed payloads, enter your secret and the tool computes an HMAC-SHA256 signature in your browser using the Web Crypto API, then attaches it as the appropriate header — compatible with GitHub (X-Hub-Signature-256), Shopify, and any service using the sha256=<hex> convention. Your secret and payload never pass through any CodeLint.Dev server.
How to use
- 1 Paste your webhook endpoint URL into the URL field at the top and select the HTTP method — POST is the default for most webhook providers.
- 2 Click the Templates dropdown and choose GitHub Push, Stripe payment_intent.succeeded, or Slack Events API to pre-load a realistic JSON payload, or start with a blank Custom body.
- 3 Edit the JSON body in the editor to match the exact payload your endpoint expects.
- 4 Add or remove request headers using the Headers panel — common headers like Content-Type and Authorization are pre-filled.
- 5 To sign the request, enter your webhook secret in the Signing Secret field and specify the header name (e.g. X-Hub-Signature-256) — the HMAC-SHA256 signature is computed in your browser and added automatically.
- 6 Click Send Request to fire the request, then inspect the response status code, response headers, and body in the Response panel on the right.
- Why does my request fail with a CORS error?
- Browsers enforce the Same-Origin Policy and block cross-origin requests unless the target server responds with the correct CORS headers (Access-Control-Allow-Origin). Most production webhook endpoints are designed for server-to-server communication and do not include CORS headers, so browser-originated requests are blocked. To work around this during testing, use an echo service as your target — webhook.site and requestbin.com both accept any origin and reflect the full request back to you with CORS enabled. For testing your own local server, add permissive CORS headers to your development configuration.
- How does HMAC-SHA256 signing work?
- Webhook providers like GitHub, Shopify, and Twilio require the sender to compute an HMAC-SHA256 hash of the raw request body using a shared secret, then include the hex-encoded result in a specific header (e.g. X-Hub-Signature-256: sha256=<hex>). The Webhook Tester performs this computation in your browser using the Web Crypto API — your secret is used locally and never transmitted to any server, including CodeLint.Dev.
- Can I test my local development server?
- Yes. Enter a localhost URL such as http://localhost:3000/webhooks and the request will go directly from your browser to your local server. You will need to have CORS headers enabled in your development server configuration — most frameworks (Express, FastAPI, Laravel, Rails) have a development-mode setting or middleware that allows all origins.
- Why does the tool show a network error instead of a response?
- A network error (as opposed to an HTTP error status like 400 or 500) usually means one of two things: the target server is unreachable (wrong URL, server not running, firewall), or a CORS preflight request was rejected before the actual request could be sent. Check that your URL is correct and that your server is running, then check the browser console for a more specific CORS error message.
- What is the difference between a webhook and a regular API call?
- A regular API call is initiated by your client polling a server for data. A webhook is event-driven — the provider server pushes a notification to your endpoint the moment something happens (a payment is made, a commit is pushed, a message is posted). Testing a webhook means simulating that incoming push, which is exactly what this tool does: it fires the HTTP request a provider would send, so you can verify your endpoint handles it correctly before going live.
- Is my payload or webhook secret sent to CodeLint.Dev?
- No. Requests are sent directly from your browser to the target URL you enter — they do not route through any CodeLint.Dev server or proxy. HMAC signatures are computed entirely in your browser. Your webhook secret, payload contents, and response data are never visible to us.