Question 1

Does RequestBin or a similar service log the payloads I paste here?

Accepted Answer

No. This tool runs entirely in your browser tab. The payload you paste never leaves your machine — there is no server, no logging endpoint, and no account. RequestBin and similar services require you to send real traffic to a URL they control, which means your webhook payloads (which may contain API keys, customer IDs, or order data) are stored on their infrastructure.

Question 2

How does the sender identification work?

Accepted Answer

Each major webhook sender uses a distinct signature header. Stripe uses Stripe-Signature, GitHub uses X-Hub-Signature-256, Slack uses X-Slack-Signature, and so on. Paste the full list of request headers alongside the payload body and the tool matches the header name pattern to identify the sender. It does not verify the HMAC signature — that requires your secret — but it tells you which service sent the payload and what format to expect.

Question 3

Can I diff two webhook payloads to see what changed?

Accepted Answer

Yes. Paste a before payload in the left panel and an after payload in the right panel. The diff view highlights added keys in green and removed keys in red at the JSON property level. Useful for comparing a test event against a production event, or tracking schema changes across Stripe API versions.

Question 4

What payload formats does the inspector support?

Accepted Answer

JSON (the default for most modern webhooks), application/x-www-form-urlencoded (used by older Stripe events and Twilio), and multipart/form-data. The tool auto-detects the format from the Content-Type header if you paste it, or you can select manually.

Question 5

Is this tool safe to use with production webhook payloads containing real customer data?

Accepted Answer

Yes, because nothing is transmitted. The parsing logic uses the browser's built-in JSON.parse and URLSearchParams APIs. No third-party analytics or error-tracking scripts are loaded on this page. You can verify this by opening DevTools Network tab — the only requests you will see are the font and CSS loads on page open.

Your webhook payload never leaves this tab.

Payload A — parse and identify.

The browser's crypto engine is already fast enough.