A high-fidelity developer utility to re-sign and replay webhooks locally. Bypasses stale timestamp and signature validation issues during development.
| Provider | Scheme | Tolerance |
|---|---|---|
| Stripe | t=....,v1=.... HMAC-SHA256 hex |
5 minutes |
| Paddle | ts=...;h1=.... HMAC-SHA256 hex |
~5 seconds |
| Shopify | X-Shopify-Hmac-SHA256 HMAC-SHA256 base64 |
No timestamp |
Many webhook providers (Stripe, Paddle, Shopify) use HMAC signatures to ensure payload integrity. These signatures often include a Unix timestamp to prevent replay attacks.
- Paddle has a strict 5-second tolerance window.
- Stripe has a 5-minute window.
This makes replaying saved payloads for testing nearly impossible—the timestamp becomes stale, the signature fails validation, and your app rejects the event.
WebhookReforge solves this by:
- Intercepting or loading a webhook payload.
- Swapping the stale timestamp with the current time.
- Re-computing the HMAC-SHA256 signature using your developer secret.
- Forwarding the re-signed request to your local application.
Your code sees a valid, fresh webhook every time.
- Multi-Provider Support: Built-in adapters for Stripe, Paddle, and Shopify.
- Proxy Mode: Sits between your webhook source (ngrok, etc.) and your app, re-signing events on the fly.
- Replay Mode: Fire saved JSON payloads from a file or the UI with perfect signatures.
- Native Desktop UI: A professional, cross-platform GUI built with Wails v2 and Vanilla JS.
- Local-First: Zero telemetry, zero cloud dependencies. Your secrets stay on your machine.
Download the latest binary for your platform from the Releases page.
sudo apt update
sudo apt install gcc libgtk-3-dev libwebkit2gtk-4.1-dev
go install github.com/wailsapp/wails/v2/cmd/wails@v2.12.0wails build -tags webkit2_41Simply run the binary to launch the Desktop UI. Paste your payload, select your provider, and hit Fire.
./webhook-reforge proxy --port 9000 --target http://localhost:3000/webhooks --secret whsec_xxx --provider stripe./webhook-reforge replay --file payment.json --target http://localhost:3000/webhooks --secret whsec_xxx --provider paddleMIT
