← All tools
Built by UnifyPort
HMAC Signature Generator
Generate and verify HMAC signatures — entirely in your browser.
Verify mode
Paste an existing signature to compare it against the computed result above.
Paste a signature to verify
Why HMAC?
Webhook providers (Telegram, WhatsApp, Stripe, GitHub) sign every request with your shared secret so you can verify it really came from them. The signature is an HMAC — a hash of the request body keyed with your secret. This tool lets you compute and compare those signatures without writing code, which is useful when you are debugging a webhook integration and need to confirm the signature your server computes matches the one in the request header.
FAQ
- What is HMAC?
- HMAC (Hash-based Message Authentication Code) is a mechanism that lets a sender prove they know a shared secret without sending the secret over the wire. It combines a cryptographic hash function with a secret key to produce a signature.
- How is HMAC used in webhook verification?
- Webhook providers sign the raw request body with your shared secret and include the resulting signature in a header (e.g., X-Hub-Signature-256). Your server recomputes the HMAC over the received body using the same secret, then compares. If they match, the request is authentic.
- Does my data leave the browser?
- No. This tool uses the Web Crypto API built into your browser. Your payload and secret are never sent to any server — all computation happens locally on your device.
- Which algorithms are supported?
- SHA-1, SHA-256, and SHA-512. SHA-256 is the most common for webhook signing today. SHA-1 is legacy but still used by some providers. SHA-512 is available for providers that require it.