Skip to main content

HMAC (Hash-based Message Authentication Code)

Hash-based Message Authentication Code (HMAC) is a specific type of message authentication code (MAC) that involves a cryptographic hash function and a secret key. It is used to verify the integrity and authenticity of a message, ensuring that it has not been tampered with or altered during transmission.

In the context of webhooks, HMAC is used to authenticate webhook requests coming from the webhook provider to the webhook receiver. The webhook provider generates an HMAC value using the shared secret key and the webhook payload, and includes the HMAC value in the HTTP headers of the webhook request.

Looking to send webhooks at scale?

Upon receiving the webhook request, the webhook receiver calculates its own HMAC value using the same shared secret key and the received webhook payload. The webhook receiver compares its calculated HMAC value to the one included in the incoming webhook request. If the two values match, the webhook request is considered authentic and can be safely processed; if the values do not match, the request is deemed inauthentic and should be rejected.

Using HMAC for webhook authentication offers several benefits, including confidentiality, integrity, replay protection, and cryptographic strength. By implementing HMAC in webhook-enabled applications, developers can help protect sensitive data and maintain the overall security of their systems.