Example
Input (Message + Secret + Signature + Algorithm)
Message: GET /api/orders Secret: your-256-bit-secret Signature: f4a4d5e1c8d2b3a9... Algorithm: SHA-256
Result
✓ Match — the message was signed with this secret
Note
Constant-time comparison — never returns early on the first differing byte, defeating timing attacks. Required pattern when verifying Stripe / GitHub / Slack webhook payloads.
Usage / FAQ
When to use
- Verify X-Signature headers on Stripe / GitHub / Slack webhooks
- Debug AWS Signature V4 — compare expected vs actual signature
- Test API request signing locally
- Verify a JWT HS256 token's signature portion directly
- Round-trip workflow with HMAC Generator (pair)
FAQ
- Q.Why is constant-time comparison important?
- A.Plain `==` returns early on the first differing byte — measuring that timing lets an attacker guess the signature one character at a time. This tool XORs all bytes for a uniform comparison time.
- Q.What if my signature is Base64?
- A.Currently hex-only. Convert Base64 → bytes → hex first (Base64 tool → re-encode as hex). Direct Base64 support is under consideration.
- Q.Is the secret sent anywhere?
- A.No. `crypto.subtle.importKey` + `subtle.sign` run entirely in the browser — secret, message, and signature never leave your device.
Fun facts
Almost every webhook system — Stripe, GitHub, Slack, Twilio — uses HMAC signatures. The receiver compares the incoming payload + signature to verify tamper-resistance and sender authenticity. It's the de facto pattern for 'asymmetric trust via a shared secret.'
Stripe — Webhook signaturesConstant-time comparison (`crypto.timingSafeEqual`) is the crux of HMAC verification. Naive `===` returns early on the first differing byte, leaking a timing side-channel measurable even across the network — Lawson's 2009 Keyczar vulnerability is the canonical case study.
Wikipedia — Timing attackSignature alone isn't enough to defeat replay attacks — you also need to sign a timestamp and reject requests older than ~5 minutes. Stripe's `t=` + `v1=` header format encodes timestamp + signature together, and is a clean reference for that pattern.
Stripe — Verify webhook
Related guides
- What is JWT? Token Structure and Secure Use
JSON Web Token (JWT) explained from header/payload/signature to verification, secret rotation, and common security pitfalls.
- HMAC Webhook Verification — How Stripe, GitHub, and Slack Sign Requests
Why webhooks need HMAC signatures, how providers like Stripe and GitHub sign payloads, constant-time comparison, replay protection, and a step-by-step verifier.
- Webhooks vs Polling vs SSE vs WebSocket — Picking the Right Real-Time Pattern
Four real-time integration patterns compared on latency, cost, complexity, and failure modes. When to use webhooks, when to fall back to polling, and where SSE/WebSocket fit.
Related tools
- Base64 Encode / Decode
Encode text to Base64 or decode Base64 back to text. Runs entirely in your browser, no data sent to any server.
- URL Encode / Decode
Percent-encode text for safe use in URLs, or decode percent-encoded URLs back to text. Runs entirely in your browser.
- UUID / ULID Generator
Generate UUID v4 (random), UUID v7 (time-ordered, RFC 9562), or ULID identifiers — all client-side via crypto.
- JWT Decoder
Decode the header and payload of a JSON Web Token. Signature is not verified (a public key is required). The token is processed entirely in your browser.
- JWT Encoder (HMAC)
Generate a signed JSON Web Token with HS256/HS384/HS512 (HMAC-SHA). Payload and secret stay in your browser — Web Crypto API based.
- SHA Hash
Compute SHA-1, SHA-256, SHA-384, or SHA-512 hash of text. Uses the browser's Web Crypto API; no data is sent to any server.
- Hex Encode / Decode
Encode text to hexadecimal or decode hex back to text. Supports UTF-8 multi-byte characters and tolerates whitespace.
- HTML Entity Encode / Decode
Encode HTML special characters (&, <, >, ", ') to entities, or decode named/numeric entities back to text.
- Password Generator
Generate cryptographically strong passwords, tokens, random strings, and passphrases with entropy display.
- Number Base Converter
Convert numbers between bases (binary/octal/decimal/hex/base36) using BigInt for large integers. Auto-detects 0b/0o/0x prefixes.
- URL Parser
Decompose a URL into protocol, host, path, query parameters, and hash — read-only inspection.
- HMAC Generator
Compute HMAC (Hash-based Message Authentication Code) with SHA-1/256/384/512 using the Web Crypto API.
- MD5 Hash
Compute MD5 hash for text. Note: MD5 is broken for security — checksums and legacy compatibility only.
- Punycode (IDN)
Convert international domain names to/from Punycode (xn-- encoded ASCII). Uses native URL parser.
- HTTP Status Codes
Browse and search HTTP status codes (1xx-5xx) with descriptions and common usage.
- User-Agent Parser
Parse User-Agent strings into browser, OS, device, and engine fields.
- Bcrypt Hash
Hash passwords with Bcrypt or verify a plaintext against an existing hash. Configurable salt rounds.
- Cookie Parser
Parse Cookie or Set-Cookie strings into a table. Decode percent-encoded values. Supports Set-Cookie attributes (Path/Domain/Max-Age/SameSite/HttpOnly/Secure).
- IP / CIDR Calculator
Compute network address, broadcast, host range, mask, and host count from an IPv4 + CIDR.
- cURL Builder
Build cURL commands from URL/method/headers/body. Auto-detects JSON content-type.