Features

🔏 HMAC Generation

SHA-256, SHA-512, SHA-1 support
Outputs hex and Base64 formats
Auto-normalizes JSON before signing
Uses Web Crypto API (no server needed)

✅ Signature Verification

Paste expected signature to verify
Supports hex and Base64 comparison
Handles GitHub/Stripe-style prefixes
Clear pass/fail status indicator

🔐 Privacy First

All computation runs in-browser
Secrets never leave your device
No server-side processing
Safe for sensitive webhook secrets

HMAC Webhook Guide

What is HMAC?

HMAC (Hash-based Message Authentication Code) is a mechanism for verifying the integrity and authenticity of a message using a shared secret key. Webhook providers use it to prove that a payload genuinely came from them.

# Node.js example
const crypto = require('crypto');
const secret = 'my-webhook-secret';
const payload = JSON.stringify(body);
const sig = crypto.createHmac('sha256', secret).update(payload).digest('hex');
// GitHub sends: X-Hub-Signature-256: sha256=<sig>

Verifying a Webhook in Python

import hmac, hashlib, json

def verify_webhook(payload: dict, secret: str, received_sig: str) -> bool:
    body = json.dumps(payload, separators=(',', ':'))
    expected = hmac.new(
        secret.encode(), body.encode(), hashlib.sha256
    ).hexdigest()
    # Strip provider prefix if present (e.g. "sha256=")
    clean = received_sig.split('=', 1)[-1]
    return hmac.compare_digest(expected, clean)

Common Use Cases

GitHub Webhooks: Verify X-Hub-Signature-256 headers on push/PR events
Stripe Webhooks: Validate payment event payloads with Stripe-Signature
Shopify: Authenticate order and fulfillment webhook calls
Slack Events API: Confirm requests originate from Slack
Custom APIs: Add HMAC signing to your own webhook integrations

FAQ

Q: Why does my signature not match?

A: The most common cause is whitespace differences in the payload. This tool normalizes JSON (minifies it) before signing, which matches how most providers compute the signature. Ensure you are using the raw request body, not a re-serialized object.

Q: Is MD5 safe for HMAC?

A: MD5 is cryptographically weak for hashing but HMAC-MD5 is still considered secure for message authentication. However, prefer SHA-256 or SHA-512 for new implementations. Note: browsers do not natively support HMAC-MD5 via Web Crypto, so this tool maps MD5 selection to SHA-256 internally.

JSON HMAC Verifier