✍️

Generate HMAC

Message Secret Key

⚠️ Key is fewer than 16 characters — use a longer, random key for production.

HMAC Signature

—

✅

Verify Signature

Uses the same message and key from the generator above. Paste the expected signature to compare.

Expected Signature (hex or Base64)

✅ Signatures match — integrity verified

❌ Signatures do NOT match — payload may have been tampered with

📖

Common Use Cases

🐙 GitHub Webhook Verification

// Header: X-Hub-Signature-256: sha256=<hex> // Algorithm: HMAC-SHA256, key = your webhook secret // Message: raw request body (bytes, not parsed JSON) const sig = 'sha256=' + hmacSHA256(body, secret) if (!timingSafeEqual(sig, req.headers['x-hub-signature-256'])) throw new Error('Invalid')

💳 Stripe Webhook Verification

// Header: Stripe-Signature: t=<ts>,v1=<hex> // Signed payload: timestamp + '.' + rawBody // Algorithm: HMAC-SHA256, key = endpoint signing secret const payload = timestamp + '.' + rawBody const expected = hmacSHA256(payload, stripeSecret)

🔑 API Request Signing

// Common pattern: sign method + path + timestamp + body hash const canonicalReq = method + '\n' + path + '\n' + timestamp + '\n' + sha256(body) const signature = hmacSHA256(canonicalReq, apiSecret) // Send in header: Authorization: HMAC-SHA256 sig=<hex>,ts=<timestamp>

AquilaX Platform

Detect missing HMAC validation
in your codebase.

AquilaX detects missing webhook signature validation, weak signing keys, and insecure HMAC implementations across your entire codebase.

Start Free → Book a Demo

HMAC Generator& Verifier.

Generate HMAC

Verify Signature

Common Use Cases

Detect missing HMAC validationin your codebase.

HMAC Generator
& Verifier.

Detect missing HMAC validation
in your codebase.