When Stripe sends a webhook to your server, how do you know it's really from Stripe? HMAC signatures answer this question. By computing a hash with a shared secret, HMAC proves both the sender's identity and the message's integrity — without exposing the secret.
What Is HMAC Generator?
HMAC (Hash-based Message Authentication Code) combines a cryptographic hash function (like SHA-256) with a secret key. Only someone with the key can generate or verify the signature. Our HMAC Generator supports MD5, SHA-1, SHA-256, and SHA-512.
How to Use HMAC Generator on DevToolHub
- Open the HMAC Generator tool on DevToolHub — no signup required.
- Paste or enter your input data in the left panel.
- See the result instantly in the output panel.
- Copy the result or download it as a file.
Verifying a Webhook Signature
How services like Stripe verify webhook authenticity:
// Stripe sends a webhook with header:
// Stripe-Signature: t=1616161616,v1=5257a869...
// Your server verifies:
const payload = JSON.stringify(req.body);
const secret = "whsec_your_webhook_secret";
const signature = crypto
.createHmac("sha256", secret)
.update(payload)
.digest("hex");
// Compare: if signature matches header → authentic
// If not → reject the requestPro Tips
- Use constant-time comparison for HMAC verification — timing attacks can leak information
- Include a timestamp in the signed payload to prevent replay attacks
- Use SHA-256 or SHA-512 for HMAC — avoid MD5 and SHA-1 for new implementations
- Store webhook secrets in environment variables, never in source code
When You Need This
- Verifying webhook signatures from Stripe, GitHub, Slack, and Shopify
- Signing API requests for AWS-style authentication
- Implementing request integrity checks between microservices
- Creating signed URLs with expiration for file downloads
Free Tools Mentioned in This Article