Webhook signature validation
Confirm that webhook handlers compute the same HMAC-SHA256 signature as the provider. Quickly detect header mismatches caused by whitespace or encoding differences.
Sign messages with HMAC-SHA256 for webhook verification and secure APIs.
HMAC signature
Run the tool to see the result here
Overview
HMAC-SHA256 Forge helps you reproduce and validate message signatures required by modern APIs. Supply the secret and payload, then compare the generated signature with headers from Stripe, GitHub, Slack, or your own services.
Use Cases
Request signing during development
Sign outbound requests in staging environments before wiring the logic into server-side code, ensuring parity between client prototypes and backend implementations.
Security incident response
Regenerate signatures for suspicious payloads to determine whether they were produced with a known secret or forged by an attacker.
How to Use
Paste payload exactly as received
Include identical whitespace, casing, and encoding used in the original request. Even minor differences produce different HMAC results.
Enter the shared secret
Use the secret key configured in your webhook or API integration. Avoid sharing production secrets in collaborative sessions.
Generate and compare
Select “Generate signature” to produce the hexadecimal HMAC. Compare it with the value from the provider’s headers to verify authenticity.
Frequently Asked Questions
How is HMAC different from plain hashing?
HMAC incorporates a secret key, providing both integrity and authenticity checks. Attackers cannot forge the signature without the secret, even if they know the payload.
Why do providers use HMAC-SHA256?
HMAC-SHA256 offers a strong balance of security and performance. It’s standardized, widely supported, and resists length-extension and collision attacks.
Can I reuse the same secret across services?
Avoid secret reuse. Assign distinct keys per environment and provider to minimize blast radius if a secret leaks.