Which platforms does DevToys run on?

DevToys is an offline desktop app for Windows and macOS. Reach for it when you would rather not paste a signing secret into a web form.

Why is DevToys safer than a web-based HMAC tool?

It runs entirely on your machine — the signing secret you type is never transmitted to a server. Web tools may be client-side too, but with a desktop app you do not have to take that on faith.

My computed signature does not match X-Device-Signature — what is wrong?

Three usual causes: a wrong signing secret; a body altered before hashing (re-serialized JSON, stripped whitespace, unicode normalization); or a timestamp read from the wrong header — only X-Device-Timestamp is signed. The input must be exactly <timestamp>.<raw_body> with a literal dot.

← All tools

Our notes

Verifying `X-Device-Signature` offline with DevToys

Sometimes you want to check a webhook signature without pasting your signing secret into any website. DevToys is a desktop toolbox that runs entirely offline — the secret never leaves your machine.

Get DevToys → UnifyPort webhook docs

What DevToys is

DevToys is an offline "Swiss-army knife for developers" — a desktop app bundling generators, converters, and encoders that would otherwise send you to a dozen web tools. The one we care about here is its HMAC generator.

Why offline matters for a signing secret

UnifyPort's webhook signature is an HMAC keyed on your signing_secret. Web-based hash tools are convenient, but they ask you to paste that secret into a page. DevToys computes everything locally — nothing is sent anywhere — so it is the safer choice when the secret is one you actually use.

Verifying X-Device-Signature in DevToys

UnifyPort signs each delivery like this:

X-Device-Signature = hex( HMAC-SHA256( secret, timestamp + "." + raw_body ) )

To reproduce it by hand:

1. Open the HMAC generator in DevToys and set the hashing function to SHA256.
2. Paste your signing secret into the key field, as plain UTF-8 text.
3. In the input, paste exactly <timestamp>.<raw_body> — the X-Device-Timestamp value, an ASCII dot, then the raw body bytes:
4. Compare the lowercase hex output against the X-Device-Signature header. A byte-for-byte match means the secret, timestamp, and body all line up.

1716800000.{"type":"message.received", … }

When CyberChef or code is the better tool

CyberChef. If you want to chain steps — base64-decode a body, then HMAC — in one recipe, our CyberChef walkthrough is more flexible, at the cost of pasting into a web page.
In code. For anything repeatable, verify in your handler with a constant-time compare (timingSafeEqual, hmac.compare_digest, hmac.Equal) — never ==.

Getting the inputs

To grab the X-Device-Timestamp and raw body to feed in, capture a delivery with webhook.site or forward one to localhost with smee.io.
Prefer a browser and the convenience of a shareable recipe? The CyberChef walkthrough runs the identical algorithm.

Common questions

Which platforms does DevToys run on?: DevToys is an offline desktop app for Windows and macOS. Reach for it when you would rather not paste a signing secret into a web form.
Why is DevToys safer than a web-based HMAC tool?: It runs entirely on your machine — the signing secret you type is never transmitted to a server. Web tools may be client-side too, but with a desktop app you do not have to take that on faith.
My computed signature does not match X-Device-Signature — what is wrong?: Three usual causes: a wrong signing secret; a body altered before hashing (re-serialized JSON, stripped whitespace, unicode normalization); or a timestamp read from the wrong header — only X-Device-Timestamp is signed. The input must be exactly <timestamp>.<raw_body> with a literal dot.

Once it matches

Move the same computation into your handler — crypto.createHmac in Node, hmac.new in Python, hmac.New in Go — and always compare with a constant-time function, never ==.

Verifying X-Device-Signature offline with DevToys