API Reference
Signature verifier
Paste your signing secret, the raw request body, and the X-JE-Signature header.
We compute the HMAC client-side and tell you whether your receiver would accept it. Your secret never leaves the browser — no fetch, no telemetry.
What this checks
- The header parses as
t=<unix>,v1=<hex>. tis within ±300s of "now" — defends against replay attacks.v1 === HMAC-SHA256(secret, t + "." + body), compared in constant time.
Mirrors the server-side helper at backend/internal/handlers/webhook_outgoing.go::VerifyWebhookSignature.
See the receiver recipe for Node + Python + Go code.