Search Tools

Search and navigate to any tool quickly

SEA Webhook Signature Verifier — Midtrans, DOKU, Xendit, 2C2P

Verify Midtrans, DOKU, Xendit, and 2C2P webhook signatures in your browser — the expected signature is computed with Web Crypto and matched against the received one. Keys never leave the page.

All hashing runs locally via the Web Crypto API. Your server keys and payloads are never uploaded, logged, or stored — there are no network requests. Prefer sandbox/test keys.
Gateway
Each preset knows how that gateway builds its signature.

SHA-512( order_id + status_code + gross_amount + ServerKey ) — plain digest, not HMAC

Midtrans inputs
About

About SEA Webhook Signature Verifier — Midtrans, DOKU, Xendit, 2C2P

When a payment gateway calls your webhook, you should verify the signature before trusting the callback — but each Southeast Asian gateway assembles its canonical (signed) string differently, and that assembly is the error-prone step. A generic HMAC calculator does not know that Midtrans uses a plain SHA-512 (not HMAC) over four concatenated fields with the server key last, or that DOKU signs a five-line component block with the digest of the raw body, or that Xendit uses a static token rather than a signature at all. This tool bakes in the per-gateway recipe so you can confirm authenticity locally.

Choose a preset — Midtrans SHA-512, DOKU HMAC-SHA256 component string, Xendit x-callback-token equality, 2C2P JWT (HS256) verification, or 2C2P legacy hashValue — fill in the fields exactly as they arrive in the notification, paste your server/secret key, and the tool computes the expected value with the Web Crypto API and shows it beside the received one with a clear MATCH or NO MATCH. For 2C2P JWTs it verifies the HS256 signature and decodes the header and payload. Every preset ships a worked example that produces a match, so you can see the shape before using your own data.

Everything runs entirely in your browser through SubtleCrypto — your server keys are never uploaded, logged, or stored, and there are no network requests. Prefer sandbox/test keys where you can. This is a debugging and integration aid built on each gateway's public specification; it verifies signatures only and does not check transaction status or merchant registration, so always re-confirm critical callbacks against the gateway's status API.

How to use SEA Webhook Signature Verifier — Midtrans, DOKU, Xendit, 2C2P

  1. Pick your gateway

    Choose Midtrans, DOKU, Xendit, or 2C2P (JWT or legacy hashValue). Each preset knows how that gateway builds its signature.

  2. Paste the notification fields

    Enter the fields exactly as received (keep gross_amount decimals, use the raw body for DOKU) plus your server/secret key.

  3. Compare signatures

    The expected signature is computed locally and shown beside the received one with a MATCH or NO MATCH result.

  4. Investigate mismatches

    For DOKU, inspect the digest and component string; for 2C2P JWTs, read the decoded header and payload to spot the problem.

Frequently asked questions