HMAC (Hash-based Message Authentication Code) is a widely-used message authentication technology defined in RFC 2104. HMAC processes a key together with a message through a hash function to produce a fixed-length signature. Unlike regular hashes, HMAC requires knowing the key to generate or verify a signature, guaranteeing both message integrity and authenticity.
**HMAC is the foundation of modern API security**. Stripe, GitHub, Shopify, Slack, and Twilio use HMAC-SHA256 to sign webhook events, ensuring requests actually come from the platform. AWS uses HMAC-SHA256 for Signature V4 request signing. JWT's HS256 algorithm is essentially HMAC-SHA256. Understanding HMAC is the first step to mastering API security.
**Different platforms have different signature formats**: Stripe's format is `t=timestamp,v1=hex_signature`, signing `timestamp.payload`; GitHub uses `X-Hub-Signature-256` with format `sha256=hex_signature`; Shopify uses `X-Shopify-Hmac-Sha256` with Base64-encoded value. This tool supports automatic parsing and verification for these common formats.
**Why does signature verification fail?** The most common reason is message format mismatch: the platform might sign `timestamp.payload` instead of the raw message body; or the message contains extra newlines; or the signature includes a prefix (like `sha256=`) that needs removing. Check the platform documentation carefully and compare using the raw hexadecimal value.
This tool uses the browser's native **Web Crypto API** (SubtleCrypto) for HMAC calculations — the same cryptographic library that powers HTTPS and TLS. All computation happens locally; keys and messages are never sent to any server. Open browser DevTools Network panel to verify no external requests are made.