Skip to main content

2026-05-18 · 1 min read

HMAC signing for webhooks

Use a shared secret and a stable algorithm—verify on the server, never trust client-side checks alone.

HMACsecuritywebhooks

Key takeaways

  • HMAC needs a secret key—treat the secondary input as sensitive and avoid logging it.
  • Prefer SHA-256 unless legacy partners require SHA-1.

Basics

Both sides agree on algorithm (e.g., HMAC-SHA256) and encoding (usually hex or base64).

Sign the raw request body bytes—whitespace changes break verification.

Debugging safely

Use test secrets in browser tools; rotate production secrets if pasted accidentally.

Compare your HMAC output with the provider docs using their sample payload.

FAQ

Is HMAC the same as a password hash?

No. HMAC uses a secret key with the message; password hashing uses salts and slow algorithms.

Can I verify HMAC in the browser?

You can prototype, but production verification must run server-side with protected keys.