Does this tool send my shared secret to a server?

No. All HMAC computations and signature verifications are performed locally in your browser using Node crypto APIs.

Why does my generated signature not match the webhook signature?

Ensure you are pasting the exact raw request body. Re-serializing JSON or adding whitespace changes the byte sequence, which alters the HMAC output.

What is constant-time comparison?

It is a security measure that compares signatures byte-by-byte at a constant speed, preventing attackers from using timing analysis to guess the signature.

Which algorithms are supported?

The tool supports SHA-1, SHA-256, SHA-384, SHA-512, SHA3-256, SHA3-512, BLAKE2s-256, and BLAKE2b-512.

What do the webhook presets do?

They automatically configure the correct hashing algorithm, output encoding, and signature prefix format used by Stripe, Slack, or GitHub.

Elysia Tools

Navigation

Security

HMAC Generator & Verifier

Compute an HMAC message-authentication signature over a message + shared secret using SHA-1/SHA-2/SHA-3/BLAKE2, or verify an incoming signature against the secret — with webhook presets for Stripe / Slack / GitHub and constant-time comparison

Details

What this tool helps you do

HMAC (Hash-based Message Authentication Code) proves a message was sent by someone who knows the shared secret and was not tampered with — it is the standard signature mechanism behind Stripe, Slack, GitHub, Shopify and most other webhooks.

This tool supports two modes:

Generate: paste the raw request body and your webhook secret, pick an algorithm (SHA-1, SHA-256, SHA-384, SHA-512, SHA3-256, SHA3-512, BLAKE2s-256, BLAKE2b-512) and an output encoding (hex / base64 / base64url), and get the signature.
Verify: additionally paste the signature you received in the webhook header; the tool recomputes the HMAC and compares it in constant time via crypto.timingSafeEqual.

Webhook presets auto-select the right algorithm, encoding and signature prefix for Stripe, Slack, and GitHub. Everything is computed locally with Node crypto; the secret never leaves the request.

Execution

Run this tool

Fill in the form, run the tool, and review the result in one place.

Prepared example runs

Click an example to fill the form automatically. File inputs still need an upload.

1 examples

Verify a Stripe-style webhook signature

Generate the HMAC-SHA-256 of a sample body, then verify a tampered signature to see the constant-time comparison fail.

<div>Computes HMAC-SHA-256 over the body and shows MATCH / NO MATCH against the provided signature with expected vs computed hex.</div>

Inputs

Set the required fields, then run the tool.

7 options

ContentPaste or type the main input values.3

Message (raw body)textareaRequiredShared SecrettextRequiredSignature to verifytextOptional

SettingsAdjust formats, ranges, numbers, and modes.4

ModeselectOptionalAlgorithmselectOptionalSignature EncodingselectOptionalWebhook presetselectOptional

Result

Ready for a run

Run the tool to preview files, text, structured data, or streamed output here.

Samples

HMAC Generator & Verifier

What this tool helps you do

Run this tool

Prepared example runs

Inputs

Result

Examples that match this tool

Continue with connected tools and hubs

Prepared example runs

Inputs

Result

Learn when to use this tool, what it supports, and how real users apply it.

Key facts

Overview

When to use

How it works

Use cases

Examples

1. Verifying a Stripe Webhook Signature

2. Generating a Slack Webhook Signature for Testing

FAQ

Android Image Processing Java Samples

Android Image Processing Kotlin Samples

Web Image Processing Python Samples

Web Image Processing Rust Samples

TOTP / HOTP Offline Code Generator

BIP39 Mnemonic Phrase Generator

Argon2 Password Hash Generator

Barcode Batch Generator

JSON Schema, Mock Data, and API Fixture Generators

CSS Effects, Palettes, and Design Token Generators

Printable PDF Layout and Template Generators

Audio Preview, Tone, and Effect Generator Tools