🔑

Webhook Signature Verifier — GitHub · Stripe · Shopify · Any HMAC Webhook

HMAC-SHA1 · HMAC-SHA256 · HMAC-SHA384 · HMAC-SHA512 · Webhook verify · Batch · API signing · 100% browser-side

Key:
Output:
Samples:
MESSAGE / DATA TO SIGN
SECRET KEY

🔒 Key never leaves your browser — processed via Web Crypto API

0
HMAC SIGNATURES
🔑

Enter message + secret key to generate HMAC

HMAC-SHA256 · HMAC-SHA512 · Real-time · Web Crypto API

HMAC-SHA-1160-bit · 20 bytes · Legacy
HMAC-SHA-256256-bit · 32 bytes · Standard ✓★ Recommended
HMAC-SHA-384384-bit · 48 bytes · High security
HMAC-SHA-512512-bit · 64 bytes · Maximum
🔍 Verify HMAC Signature
Ctrl+L ClearCtrl+S DownloadCtrl+Shift+C Copy active HMACP Pin
💡

Verify webhook HMAC signatures from any platform. Paste the webhook payload as message, enter your webhook secret, and use Verify Mode to confirm ✅ Match or ❌ No match. Supports GitHub (X-Hub-Signature-256), Stripe (Stripe-Signature), Shopify, and any custom HMAC-signed webhook.

What is HMAC?

HMAC (Hash-based Message Authentication Code) is a cryptographic technique that combines a hash function with a secret key. Unlike a plain hash which only verifies data integrity, HMAC also proves authenticity — only someone with the correct secret key can produce a valid HMAC. It is the backbone of API authentication, webhook verification, and JWT signatures.

HMAC-SHA256 vs HMAC-SHA512

HMAC-SHA256 is the current industry standard — used by AWS Signature V4, GitHub webhooks, Stripe, Shopify, and most modern REST APIs. It produces a 64-character hex signature. HMAC-SHA512 provides extra security with a 128-character hex signature and is preferred for banking, fintech, and high-security systems. Both are secure — choose SHA256 for compatibility and SHA512 for maximum security.

Frequently Asked Questions

How do I verify a GitHub webhook signature?

Copy the raw request body as message. Enter your GitHub webhook secret as key. Compute HMAC-SHA256. The result should match the value after "sha256=" in the X-Hub-Signature-256 header.

How do I verify a Stripe webhook?

Stripe sends a Stripe-Signature header with timestamp and signature. Extract the signed_payload (timestamp.body), enter your webhook endpoint secret (whsec_xxx), and compute HMAC-SHA256.

How do I verify a Shopify webhook?

Shopify uses HMAC-SHA256 with Base64 output. Enter the raw request body as message, your Shopify secret as key, and switch output format to Base64. Compare with the X-Shopify-Hmac-Sha256 header.

Why must I use raw body for webhook verification?

JSON parsing can modify whitespace and key ordering, which changes the hash. Always compute HMAC on the exact raw bytes received — before any JSON.parse() or body parsing.

What is timing-safe comparison?

Regular string comparison (===) can leak timing information — attackers can measure how long it takes to find where signatures differ. Use crypto.timingSafeEqual() (Node.js) or hmac.compare_digest() (Python) for webhook verification.

Related Developer Tools

#Hash GeneratorMD5 · SHA-256 · SHA-512🔐JWT DecoderDecode & verify JWT tokens🔒AES Encrypt/DecryptAES-256-GCM encryption🔢Base64 EncoderEncode & decode Base64