Question 1

What is HMAC webhook signature?

Accepted Answer

HMAC (Hash-based Message Authentication Code) uses a secret key and a hash function to sign webhook payloads. Recipients verify authenticity and integrity by recomputing the signature with the shared secret.

Question 2

Why timing-safe comparison?

Accepted Answer

Timing-safe comparison (constant-time) prevents attackers from inferring the correct signature byte-by-byte via response time. Standard string comparison may leak timing information.

Question 3

Which providers use HMAC signatures?

Accepted Answer

Stripe uses HMAC-SHA256 with hex encoding. GitHub uses HMAC-SHA256 (hex) with header 'X-Hub-Signature-256'. Shopify uses HMAC-SHA256 with base64 encoding.

🔐 Webhook Signature Generator

📄 Code Snippets

🏢 Common provider formats