Webhook Relay
Sign up free

Verify Slack Webhook Signatures

Slack signs requests by building the string v0:{timestamp}:{body} and computing HMAC-SHA256 with your app's signing secret. The result is sent (prefixed v0=) in X-Slack-Signature, with the timestamp in X-Slack-Request-Timestamp. Paste the raw body, secret, timestamp and signature.

Paste the X-Slack-Signature value above to compare

Everything runs in your browser — the payload and secret never leave this page. Want to verify a different provider? See the webhook signature verifier hub or the generic HMAC generator.

How Slack signs webhooks

  1. Build the base string v0:{X-Slack-Request-Timestamp}:{raw body}.
  2. Compute HMAC-SHA256 using your signing secret as the key, hex-encoded.
  3. Prefix with v0= and compare to X-Slack-Signature with a constant-time check.
  4. Reject requests whose timestamp is more than ~5 minutes old to prevent replays.

Reference: Slack signature documentation.

Verify Slack signatures in code

Node.js
const crypto = require('crypto');

const ts = req.headers['x-slack-request-timestamp'];
const base = `v0:${ts}:${rawBody}`;
const sig = 'v0=' + crypto
  .createHmac('sha256', process.env.SLACK_SIGNING_SECRET)
  .update(base).digest('hex');

const valid = crypto.timingSafeEqual(
  Buffer.from(sig), Buffer.from(req.headers['x-slack-signature']));
Python
import hmac, hashlib

ts = request.headers['X-Slack-Request-Timestamp']
base = f"v0:{ts}:{raw_body}"
sig = 'v0=' + hmac.new(
    signing_secret.encode(), base.encode(), hashlib.sha256).hexdigest()

valid = hmac.compare_digest(sig, request.headers['X-Slack-Signature'])

Frequently asked questions

Where is the Slack signing secret?

In your app's settings at api.slack.com under "Basic Information" → "App Credentials" → "Signing Secret". It is different from a bot or OAuth token.

Why include the timestamp?

Signing v0:{timestamp}:{body} binds the signature to a moment in time, so you can reject old requests and stop attackers replaying a captured payload.

Verify other providers

StripeGitHubShopifyTwilioStandard Webhooks
HMAC GeneratorCloudEvents ValidatorWebhook Tester (Bin)

Receiving Slack webhooks on a server behind a firewall or on localhost? Webhook Relay can forward them to your internal service and even verify or transform them before delivery.