HMAC Signature Verifier

Generate and verify HMAC signatures for webhook payloads.

Processed entirely in your browser — your secrets never leave your machine.

Presets:

Algorithm

Output format

Secret key

Message / payload

Generated signature

Verifying webhook signatures manually?

Recuro signs every outgoing webhook automatically and verifies incoming signatures. Zero manual HMAC setup.

Get started free

What is HMAC signature verification?

When a service like Stripe, GitHub, or Shopify sends a webhook to your server, it includes a cryptographic signature in the request headers. This signature is an HMAC — a hash of the request body computed with a shared secret key. By recomputing the HMAC on your end and comparing it with the received signature, you can verify that the payload was not tampered with and that it genuinely came from the expected sender.

The most common algorithm is HMAC-SHA256, which produces a 256-bit (32-byte) hash. The signature is typically transmitted as a hexadecimal string or base64-encoded string. Stripe uses hex encoding, while Shopify uses base64. The algorithm and format depend on the provider.

To verify a webhook signature: (1) extract the signature from the request header, (2) compute HMAC of the raw request body using your webhook secret, (3) compare the two values using a constant-time comparison to prevent timing attacks. If they match, the payload is authentic.

Scheduling webhooks with signature verification? Recuro handles cron-triggered HTTP requests with full logging, retries, and header configuration.

Frequently Asked Questions

What is HMAC?

HMAC (Hash-based Message Authentication Code) is a mechanism that combines a cryptographic hash function with a secret key to produce a message authentication code. It verifies both the integrity and authenticity of a message — only someone with the secret key can produce a valid HMAC for a given message.

How do I verify Stripe webhook signatures?

Stripe sends a Stripe-Signature header with each webhook event. Extract the signature value (after v1=), then compute HMAC-SHA256 of the signed payload (timestamp.body) using your webhook endpoint secret. Compare the computed hex signature with the one from the header. This tool lets you do that manually for debugging.

Is it safe to paste my webhook secret here?

Yes — this tool processes everything entirely in your browser using the Web Crypto API. No data is sent to any server. Your secrets, keys, and payloads never leave your machine. You can verify this by checking the Network tab in your browser DevTools.

⌘Enter to run Ctrl+Enter to run · ⌘⇧C to copy Ctrl+Shift+C to copy

Next steps

Generate a signature Signature Generator Generate hashes Hash Generator Test the webhook Webhook Tester

View all tools →