deftools.io Security

HMAC Generator

Sign data with a secret key using HMAC-SHA1/256/384/512. Generate signatures for webhooks & APIs, or verify a signature against a payload. Uses native Web Crypto — your data never leaves your browser.

0 B
📌 Usage notes & common pitfalls
  • Webhook signatures (e.g. Stripe): algorithm SHA-256, message = raw request body, key = signing secret, output = hex.
  • GitHub webhooks: sha256= prefix on the signature. Strip the prefix before comparing.
  • Binary payloads: check Input is hex and paste the raw hex of the bytes.
  • Key encoding: the key is treated as UTF-8 text. If you have a hex key, convert it first.
  • Comparison in Verify mode is constant-time, but timing-safe at rest — this is a debugging aid, not for production verification.