Skip to main content
The 142 providers webhook.co verifies, generated from the same registry the engine runs. Find your sender, register a provider secret under its slug, and verification runs automatically — see how verification works. Columns: the provider, the slug you register the secret under, the signature scheme (HMAC digest is SHA-256 unless noted), the exact signature header, and whether the provider uses a setup handshake (answered automatically). A handful of providers carry the signature in the request body or a form field rather than a header — noted inline.
Most providers take a single signing_secret (the default kind, so you can omit it). Three handshake-and-key cases take an extra kind: Meta and eBay accept a verify_token for their challenge, and Braintree accepts a braintree_public_key alongside its signing secret. See managing provider secrets.

Standard Webhooks

The open Standard Webhooks construction: HMAC-SHA256 over {id}.{ts}.{body}, base64, secret decoded from a whsec_-prefixed key. If your sender implements this spec, this family is the one to match.
ProviderslugSchemeSignature headerHandshake
Standard Webhooksstandard_webhooksHMAC-SHA256webhook-signature
ClerkclerkHMAC-SHA256svix-signature
ResendresendHMAC-SHA256svix-signature
StytchstytchHMAC-SHA256svix-signature
SupabasesupabaseHMAC-SHA256webhook-signature
RenderrenderHMAC-SHA256webhook-signature
BrexbrexHMAC-SHA256webhook-signature
OpenAIopenaiHMAC-SHA256webhook-signature
ReplicatereplicateHMAC-SHA256webhook-signature
PolarpolarHMAC-SHA256webhook-signature
Google GeminigeminiHMAC-SHA256webhook-signature
incident.ioincident_ioHMAC-SHA256webhook-signature
EtsyetsyHMAC-SHA256webhook-signature
VantavantaHMAC-SHA256svix-signature
LoopsloopsHMAC-SHA256webhook-signature
IncreaseincreaseHMAC-SHA256webhook-signature
FinchfinchHMAC-SHA256finch-signature

HMAC over the raw body

The signature is computed over the exact request body verbatim — the most common scheme. Digest is SHA-256 unless the row says otherwise.
ProviderslugSchemeSignature headerHandshake
GitHubgithubHMAC-SHA256x-hub-signature-256
ShopifyshopifyHMAC-SHA256x-shopify-hmac-sha256
MetametaHMAC-SHA256x-hub-signature-256Yes
PusherpusherHMAC-SHA256x-pusher-signature
QuickBooksquickbooksHMAC-SHA256intuit-signature
ChargifychargifyHMAC-SHA256x-chargify-webhook-signature-hmac-sha-256
LaunchDarklylaunchdarklyHMAC-SHA256x-ld-signature
Modern Treasurymodern_treasuryHMAC-SHA256x-signature
Autodesk Platform Servicesautodesk_apsHMAC-SHA1x-adsk-signature
MongoDB Atlasmongodb_atlasHMAC-SHA1x-mms-signature
XeroxeroHMAC-SHA256x-xero-signature
SegmentsegmentHMAC-SHA1x-signature
AfterShipaftershipHMAC-SHA256aftership-hmac-sha256
OnfleetonfleetHMAC-SHA512x-onfleet-signature
Microsoft Teamsms_teamsHMAC-SHA256authorization (HMAC <b64>)
AblyablyHMAC-SHA256x-ably-signature
SquarespacesquarespaceHMAC-SHA256squarespace-signature
NylasnylasHMAC-SHA256x-nylas-signature
LinkedInlinkedinHMAC-SHA256x-li-signature
BoltboltHMAC-SHA256x-bolt-hmac-sha256
PrimerprimerHMAC-SHA256x-signature-primary
TallytallyHMAC-SHA256tally-signature
FramerframerHMAC-SHA256framer-signature
AshbyashbyHMAC-SHA256ashby-signature
Mergemerge_devHMAC-SHA256x-merge-webhook-signature
CronofycronofyHMAC-SHA256cronofy-hmac-sha256
DeeldeelHMAC-SHA256x-deel-signature
RazorpayrazorpayHMAC-SHA256x-razorpay-signature
SentrysentryHMAC-SHA256sentry-hook-signature
LinearlinearHMAC-SHA256linear-signature
DropboxdropboxHMAC-SHA256x-dropbox-signatureYes
Checkout.comcheckout_comHMAC-SHA256cko-signature
Lemon Squeezylemon_squeezyHMAC-SHA256x-signature
Coinbase Commercecoinbase_commerceHMAC-SHA256x-cc-webhook-signature
DwolladwollaHMAC-SHA256x-request-signature-sha-256
GoCardlessgocardlessHMAC-SHA256webhook-signature
NotionnotionHMAC-SHA256x-notion-signature
WooCommercewoocommerceHMAC-SHA256x-wc-webhook-signature
BitbucketbitbucketHMAC-SHA256x-hub-signature
Jira (system webhooks)atlassian_jiraHMAC-SHA256x-hub-signature
X (Twitter)xHMAC-SHA256x-twitter-webhooks-signatureYes
ClickUpclickupHMAC-SHA256x-signature
npmnpmHMAC-SHA256x-npm-signature
HerokuherokuHMAC-SHA256heroku-webhook-hmac-sha256
DubdubHMAC-SHA256dub-signature
Cal.comcal_comHMAC-SHA256x-cal-signature-256
AsanaasanaHMAC-SHA256x-hook-signatureYes
CircleCIcircleciHMAC-SHA256circleci-signature
PagerDutypagerdutyHMAC-SHA256x-pagerduty-signature
AirtableairtableHMAC-SHA256x-airtable-content-mac
DocuSigndocusignHMAC-SHA256x-docusign-signature-1
VercelvercelHMAC-SHA1x-vercel-signature
IntercomintercomHMAC-SHA1x-hub-signature
PaystackpaystackHMAC-SHA512x-paystack-signature
Authorize.Netauthorize_netHMAC-SHA512x-anet-signature
TypeformtypeformHMAC-SHA256typeform-signature

HMAC with a signed timestamp

The signed message includes a timestamp (from a header or a field inside the signature header), so the signature also fences a replay window. Digest is SHA-256 unless noted.
ProviderslugSchemeSignature headerHandshake
StripestripeHMAC-SHA256stripe-signature
SlackslackHMAC-SHA256x-slack-signatureYes
WebflowwebflowHMAC-SHA256x-webflow-signature
KlaviyoklaviyoHMAC-SHA256klaviyo-signature
MuxmuxHMAC-SHA256mux-signature
ShipposhippoHMAC-SHA256shippo-auth-signature
BuildkitebuildkiteHMAC-SHA256x-buildkite-signature
TikToktiktokHMAC-SHA256tiktok-signature
AirshipairshipHMAC-SHA256x-ua-signature
LoblobHMAC-SHA256lob-signature
PersonapersonaHMAC-SHA256persona-signature
AirwallexairwallexHMAC-SHA256x-signature
AffirmaffirmHMAC-SHA512x-affirm-signature
Customer.io (Journeys)customer_ioHMAC-SHA256x-cio-signature
BoxboxHMAC-SHA256box-signature-primary
ConfigCatconfigcatHMAC-SHA256x-configcat-webhook-signature-v1
KnockknockHMAC-SHA256x-knock-signature
CalendlycalendlyHMAC-SHA256calendly-webhook-signature
ZoomzoomHMAC-SHA256x-zm-signatureYes
Customer.io (Data Pipelines)customerioHMAC-SHA256x-cio-signature
SinchsinchHMAC-SHA256x-sinch-webhook-signature
WorkOSworkosHMAC-SHA256workos-signature
FrontfrontHMAC-SHA256x-front-signature
ZendeskzendeskHMAC-SHA256x-zendesk-webhook-signature
TwitchtwitchHMAC-SHA256twitch-eventsub-message-signatureYes
PaddlepaddleHMAC-SHA256paddle-signature
RecurlyrecurlyHMAC-SHA256recurly-signature
SanitysanityHMAC-SHA256sanity-webhook-signature

HMAC over request context

These sign more than the body — the request URL, sorted form fields, specific JSON fields, or a manifest. Some carry the signature in the body or a form field rather than a header.
ProviderslugSchemeSignature locationHandshake
SquaresquareHMAC-SHA256 · URL + bodyx-square-hmacsha256-signature
TrellotrelloHMAC-SHA1 · body + URLx-trello-webhook
TwiliotwilioHMAC-SHA1 · URL + form fieldsx-twilio-signature
Mailchimp Transactional (Mandrill)mandrillHMAC-SHA1 · URL + form fieldsx-mandrill-signature
HubSpothubspotHMAC-SHA256 · method + URL + body + tsx-hubspot-signature-v3
AdyenadyenHMAC-SHA256 · signed body fieldsin body (hmacSignature)
MailgunmailgunHMAC-SHA256 · timestamp + tokenin body (signature)
Mercado Pagomercado_pagoHMAC-SHA256 · id/request-id/ts manifestx-signature
BraintreebraintreeHMAC-SHA1 · signs bt_payloadform field (bt_signature)Yes
ContentfulcontentfulHMAC-SHA256 · canonical requestx-contentful-signature
PlivoplivoHMAC-SHA256 · URL + bodyx-plivo-signature-v3

JWT (HS256)

The signature is a JWT signed with a shared secret. Some bind the body via a hash claim; others prove origin, destination, and freshness without hashing the body.
ProviderslugSchemeSignature headerHandshake
MessageBird (Bird)messagebirdJWT HS256 · body-hash claimmessagebird-signature-jwt
NetlifynetlifyJWT HS256 · body-hash claimx-webhook-signature
VonagevonageJWT HS256 · body-hash claimauthorization (Bearer)
monday.commondayJWT HS256 · origin-boundauthorizationYes
Jira (Connect apps)jira_connectJWT HS256 · qsh-boundauthorization (JWT)

Asymmetric signatures

Public-key verification — you register the provider’s public key (or, for remote-key providers, an issuer URL or app credentials the engine uses to fetch the key). Nothing you hold can forge one of these.
ProviderslugSchemeSignature locationHandshake
KeygenkeygenEd25519keygen-signature
Constant Contactconstant_contactRS256 (remote JWKS)x-ctct-webhook-sig
DiscorddiscordEd25519x-signature-ed25519Yes
TelnyxtelnyxEd25519telnyx-signature-ed25519
SendGridsendgridECDSA P-256x-twilio-email-event-webhook-signature
WisewiseRSA-SHA256x-signature-sha256
KindekindeRS256 JWT (remote JWKS)body is a JWT (no header)
PayPalpaypalRSA (remote cert)paypal-transmission-sig
Amazon SNSaws_snsRSA (remote cert)in body (message JSON)
PlaidplaidES256 JWT (remote key)plaid-verification
eBayebayECDSA-SHA1 (remote key)x-ebay-signatureYes

Token / HTTP Basic

These don’t sign the payload — they prove the source with a shared static token or HTTP Basic credential. A match is real but weaker than a signature, so verified events land in the authenticated state, never verified. Where the header is operator-configured, you register the header name alongside the token.
ProviderslugSchemeCredential locationHandshake
TelegramtelegramStatic tokenx-telegram-bot-api-secret-token
GitLabgitlabStatic tokenx-gitlab-token
Microsoft Graphmicrosoft_graphStatic tokenin body (clientState)Yes
ChargebeechargebeeHTTP Basicauthorization (Basic)
PostmarkpostmarkHTTP Basicauthorization (Basic)
SparkPostsparkpostHTTP Basicauthorization (Basic)
MixpanelmixpanelHTTP Basicauthorization (Basic)
OktaoktaStatic tokenoperator-configured headerYes
BigCommercebigcommerceStatic tokenoperator-configured header
DatadogdatadogStatic tokenoperator-configured header
BrevobrevoStatic tokenoperator-configured header
New Relicnew_relicStatic tokenoperator-configured header
FilloutfilloutStatic tokenoperator-configured header
ZapierzapierStatic tokenoperator-configured header

Not seeing your provider?

Capture works for any sender regardless — and an unlisted provider is often one step away. See custom or unlisted provider.