SecurityFree Tool100% Client-Side

HMAC Signature Verifier

Verify webhook HMAC signatures locally. Your secret key never leaves your browser - all computation happens client-side using the Web Crypto API.

100% Client-Side Processing

Your secret key never leaves your browser. All HMAC computation happens locally using the Web Crypto API. No data is transmitted over the network.

Webhook Payload

The raw payload body exactly as received

Secret Key & Signature

Your webhook signing secret and the signature to verify

Algorithm

Secret Key

Signature to Verify

Accepts signatures with or without algorithm prefix (sha256=, v1=, etc.)

Code Examples

Generate and verify SHA-256 signatures in your preferred language

const crypto = require('crypto');

// Generate HMAC signature
function generateSignature(payload, secret) {
  return crypto
    .createHmac('sha256', secret)
    .update(payload, 'utf8')
    .digest('hex');
}

// Verify HMAC signature
function verifySignature(payload, secret, signature) {
  const expected = generateSignature(payload, secret);
  // Use timing-safe comparison to prevent timing attacks
  return crypto.timingSafeEqual(
    Buffer.from(signature, 'hex'),
    Buffer.from(expected, 'hex')
  );
}

// Example usage
const payload = JSON.stringify({ event: 'email.received' });
const secret = 'whsec_your_secret_key';
const signature = generateSignature(payload, secret);

console.log('Signature:', signature);
console.log('Valid:', verifySignature(payload, secret, signature));

Need to validate your webhook payload structure? Try JSON Schema Validator or Webhook Payload Differ