BYTETOOLS

HMAC Use Cases: Real Examples of Keyed Hashing

HMAC is used wherever two parties share a secret and need to prove a message is genuine β€” verifying webhook signatures, signing API requests, protecting tokens and checking that data was not tampered with in transit. These are the real-world workflows where the HMAC Generator helps you build, test and debug, with concrete examples for each.

Use case 1: verifying webhook signatures

Payment and SaaS providers like Stripe, GitHub and Slack sign each webhook with HMAC. They send a header such as X-Signature containing the HMAC-SHA256 of the request body using your webhook secret. To confirm the event really came from them, you recompute the HMAC of the body with the same secret and check it matches. In the tool, paste the raw body as the message and your webhook secret as the key, select SHA-256, and compare the output to the header β€” a fast way to debug why a webhook is being rejected.

Use case 2: signing API requests

Cloud APIs (AWS-style signing, for example) require clients to sign a canonical request string with a secret key so the server can authenticate the caller. Suppose the string to sign is GET/v1/orders1720137600 and your key is apikey-secret. Generating its HMAC-SHA256 gives the signature you attach to the request. If the server rejects it, reproducing the exact same string and key here shows whether your client is building the signature correctly.

Use case 3: token and cookie integrity

Session cookies and lightweight tokens are often protected by appending an HMAC of the payload. If someone edits the payload, the recomputed HMAC will not match and the token is rejected. This is the same principle behind the signature in a JWT signed with HS256 β€” the third segment is an HMAC of the header and payload.

Use case 4: verifying downloaded data

When a file or config is distributed with a shared secret, an HMAC lets the recipient confirm both that the content is intact and that it came from the trusted source β€” stronger than a plain checksum, which anyone could recompute.

Where each scenario fits

Use caseMessage signedTypical algorithm
Webhook verificationRaw request bodyHMAC-SHA256
API request signingCanonical request stringHMAC-SHA256
Token / cookie integrityEncoded payloadHMAC-SHA256
JWT (HS256)Header + payloadHMAC-SHA256
Data / download integrityFile contents or hashHMAC-SHA256/512

Try the HMAC Generator β€” free and 100% in your browser.

FAQ

Can I use this to test a Stripe or GitHub webhook signature?

Yes. Paste the exact raw request body as the message and your webhook signing secret as the key, choose SHA-256, and compare the generated HMAC to the value in the signature header to confirm your verification logic.

Is a JWT signature just an HMAC?

For HS256 tokens, yes β€” the signature is the HMAC-SHA256 of the base64url-encoded header and payload joined by a dot, using the shared secret. You can reproduce that signing input here to check it.

Why HMAC instead of a plain SHA-256 checksum?

A plain hash proves only that data is unchanged; anyone can recompute it. HMAC mixes in a secret key, so it also proves the message came from someone who holds that key, adding authenticity on top of integrity.

Which output format do these systems expect?

It varies β€” many webhooks and APIs use hex, while some use Base64. Check the provider's docs and select the matching format so your generated signature lines up with theirs.

Related free tools

Built by ByteVancer

ByteTools is a free product of ByteVancer, a software and web development studio building web apps, SaaS and custom software. If you are integrating webhooks, signing APIs or building secure services, explore how ByteVancer can help you deliver.