HMAC Signatures Explained for API and Webhook Testing
Understand how a message, secret and hash algorithm combine to create a verifiable signature.
Related tool
Open tool
HMAC Generator helps you apply this guide directly in the browser.
What an HMAC proves
An HMAC lets two systems confirm that a message was created by someone who knows the shared secret and that the message was not changed in transit.
The secret itself is not included in the signature. Both sides calculate the HMAC independently and compare the results.
Exact input matters
Whitespace, line endings, parameter order and character encoding all affect the signature. A one-character difference produces a different result.
When debugging a webhook, compare the raw request body and the exact encoding rules described by the provider.