Webhook Tester

Build HTTP requests, fire them, and inspect responses. A lightweight REST client in your browser.

How to Use

Enter the webhook/API URL you want to test
Choose the HTTP method (GET, POST, PUT, PATCH, DELETE)
Add headers and a JSON body as needed
Click "Send" to fire the request
Inspect the response status, headers, and body below

Note: Requests are sent directly from your browser, so CORS restrictions apply. The target server must allow cross-origin requests.

Headers

Body

What this webhook tester is (and what it is not)

This is a sender. You give it a URL, an HTTP method, headers, and a body, and it fires the request straight from your browser and shows you the response. It is a lightweight REST client you can open in a tab without installing anything.

It is not a receiver. If you are looking for a public URL that catches incoming webhooks from Stripe, GitHub, Shopify, or any other service so you can inspect what they send, this is the wrong tool. For that job, use webhook.site, RequestBin, or Hookdeck. Those services give you a temporary URL, collect requests sent to it, and let you replay them. This tool solves the other half of the webhook problem: testing how your own endpoint behaves when a payload arrives.

What it is good for

The scenarios where a browser-based sender is the right tool:

Testing a webhook handler you just deployed. You wrote a /webhooks/stripe route in your app. Fire a sample payload at it and check the response, the logs, and any downstream side effects.
Debugging an integration that is not receiving the expected payload. Replay a request with the exact shape you think the provider is sending, and see if your endpoint matches that assumption.
Validating signature verification logic. Send a request with a known HMAC or Stripe-Signature header to confirm your verification middleware accepts valid signatures and rejects invalid ones.
Poking at any REST API. It is also a general HTTP client. If you need to hit a GET endpoint to see what it returns, or POST to a JSON API while prototyping, this works the same way Postman or curl would.
Sharing a repro case. The request you built can be copied as a curl command and dropped into an issue or a chat message.

The CORS constraint (and how to work around it)

Because requests fire from your browser, the target server has to opt in to cross-origin requests via the Access-Control-Allow-Origin header. This is a browser security rule, not something the tool can bypass.

In practice, this affects you in one of three ways:

Testing your own endpoint in development: add https://www.forgelit.com (or * during dev) to your CORS config. Most frameworks let you do this with one line of middleware.
Testing a public API that supports browser clients: services like httpbin, JSONPlaceholder, and most modern REST APIs already allow cross-origin requests. You can use this tool as-is.
Testing a third-party API that blocks browser requests: you cannot work around this with a browser tool, period. Use curl, Postman's desktop app, or an HTTP client library in a terminal instead. The CORS block is the server's decision, not ours.

If you hit a CORS error, the response area will show an empty or errored response and the browser console will explain why. The tool itself is working. The target is refusing the cross-origin connection.

Webhook anatomy, briefly

If you are newer to webhooks, the request model is the same as any HTTP API call. A webhook is just an HTTP POST (usually) sent to a URL you control, by a service reacting to an event on their end.

The four parts of any request

URL: where the request is sent. For webhook testing, this is usually your own /webhooks/provider route. Method: almost always POST for webhooks, but you can test any HTTP verb here. Headers: metadata like Content-Type: application/json, authentication, and signature values. Body: the payload, almost always JSON.

Signature headers you will encounter

Most providers sign their webhooks so your endpoint can verify the request really came from them. The header names vary: Stripe uses Stripe-Signature, GitHub uses X-Hub-Signature-256, Shopify uses X-Shopify-Hmac-SHA256, and many custom integrations use a generic X-Signature or X-Hmac. When testing locally, you can construct a valid signature using the provider's documented algorithm and paste it into the Headers section here.

Response codes your endpoint should return

By convention, webhook receivers return 200 OK or 204 No Content when the payload was accepted successfully. Any 2xx means "I got it, do not retry". Most providers treat 4xx as permanent failures (bad payload, auth failed) and 5xx as temporary failures worth retrying. If your endpoint is returning 500 on valid payloads, the provider will eventually give up. If it returns 200 on broken payloads, you will silently lose events.

Frequently asked questions

Is this webhook tester free to use?

Yes. No signup, no limits, no ads. The tool runs entirely in your browser, so there is nothing to pay for.

Can this tool catch incoming webhooks from Stripe, GitHub, or other services?

No. This is a webhook sender and REST client, not a public catch-all URL. If you need a URL that receives incoming webhooks from third-party services so you can inspect the payloads they send, you want a service like webhook.site, RequestBin, or Hookdeck. This tool is for the other half of the problem: firing test requests at your own endpoints to see how they behave.

Why am I getting CORS errors when I try to send a request?

Because the request is made from your browser, the target server has to explicitly allow cross-origin requests via the Access-Control-Allow-Origin header. If you are testing your own endpoint, add https://www.forgelit.com to the allowed origins in your CORS config during development. If you are testing a third-party API that does not allow browser requests, you will need a server-side tool like curl, Postman's desktop app, or an HTTP client library instead.

Does it support Bearer tokens, Basic auth, and API keys?

Yes, via the Headers section. Add an Authorization header with the value Bearer YOUR_TOKEN for Bearer auth, Basic base64-encoded-credentials for Basic auth, or any custom header name for API keys (X-API-Key, X-Auth-Token, and so on). The headers you add are sent exactly as typed.

How is this different from Postman or Insomnia?

Postman and Insomnia are much more full-featured: collections, environments, scripting, team sharing, mock servers, test assertions. This tool is deliberately lighter weight. It opens instantly in a browser tab, has zero setup, and does not require an account. Think of it as the tool you reach for when you need to fire one request right now, not when you are managing a whole API workspace.

Are my requests or responses logged anywhere?

No. Requests go directly from your browser to the target URL you enter. Nothing is proxied through Forgelit, and no payload data is sent to any Forgelit server. We cannot see what you send or receive.

Privacy

Requests go directly from your browser to the target URL. Nothing is proxied or logged by Forgelit.