Loading HMAC Verify...

Please wait a moment

How to Verify HMAC Signatures - Step by Step Guide

Validate whether an expected signature matches the computed HMAC output

Step 1

Add Message and Secret Key

Provide the original payload and the shared secret key used by the sender. The tool computes the HMAC signature using the SubtleCrypto.sign() API.

Message: Paste the exact webhook body, API request payload, or text content that was signed.

Secret key: Enter the shared secret from your webhook configuration or API credentials.

Try sample: Click Sample to load a webhook event with a matching expected signature.

Example — verifying a GitHub webhook signature:

Message: {"event":"webhook","id":"wh_101","status":"ok"}
Secret:  my-demo-secret-key
Algorithm: HMAC-SHA-256

Expected (from X-Hub-Signature-256 header):
sha256=a3f2b1c4d5e6...

Verification → PASS (signature is authentic)

Step 2

Set Expected Signature and Format

Paste the expected signature value received from your webhook provider and select the matching format (HEX or Base64).

HEX format: Standard for Stripe, GitHub, and most webhook X-Signature headers.

Base64 format: Used by AWS, Azure, and some enterprise API authentication flows.

Algorithm: Must match the algorithm used by the sender — HMAC-SHA-256 is the most common.

Step 3

Read PASS or FAIL Result

The tool computes the HMAC from your message and secret, then compares it against the expected signature following RFC 2104 HMAC specification.

PASS: The computed signature matches the expected value — the payload is authentic and unmodified.

FAIL: Signatures do not match — the payload may have been tampered with, or wrong secret/algorithm was used.

Side-by-side view: Actual HEX and Base64 signatures are shown for manual debugging.

Example — failed verification due to wrong secret:

Message: {"event":"webhook","id":"wh_101","status":"ok"}
Secret:  wrong-secret-key  (should be: my-demo-secret-key)

Actual HEX:   b7c8d9e0f1a2...
Expected HEX: a3f2b1c4d5e6...

Verification → FAIL (secret key does not match)

Step 4

Export Verification Result

Copy or download the full verification log for security audit trails and incident investigation.

Copy: Copy the full verification log including algorithm, actual and expected signatures, and PASS/FAIL result.

Download: Save the verification result as a text file for compliance and incident records.

Need to generate? Use HMAC Generator to create new signatures with your secret key.

Frequently Asked Questions

What are common reasons for FAIL?

Wrong secret key, wrong algorithm, changed payload bytes (including whitespace and newline differences), or expected signature format mismatch (HEX vs Base64).

Is my secret key transmitted anywhere?

No. All HMAC computation happens locally in your browser using the W3C Web Crypto API. Your secret key, message, and signature never leave the browser.

Need to generate signatures first?

Use HMAC Generator to create HMAC signatures in HEX and Base64 formats, then come back here to verify received signatures.

How do I debug signature mismatches?

Compare the actual HEX/Base64 output shown in the tool against the expected value. Check that the message is byte-for-byte identical, the secret key has no trailing spaces, and the algorithm matches what the sender used.

Can I verify with command line tools?

Yes. The output matches OpenSSL dgst -hmac, Node.js crypto.createHmac(), and Python hmac module for the same UTF-8 input and key.

How to Verify HMAC Signatures - Step by Step Guide

Add Message and Secret Key

Set Expected Signature and Format

Read PASS or FAIL Result

Export Verification Result

Frequently Asked Questions

What are common reasons for FAIL?

Is my secret key transmitted anywhere?

Need to generate signatures first?

How do I debug signature mismatches?

Can I verify with command line tools?

Related Tools

Hash Compare

Checksum Verify

File Checksum Generator

Multi-Hash Generator

HMAC Generator

SHA-256 Generator

Support This Tool