#️⃣

Verify HMAC

Verify HMAC signatures using constant-time comparison to prevent timing attacks.

POST 1 credit /v1/auth/hmac-verify

curl -X POST "https://auth.toolkitapi.io/v1/auth/hmac-verify" \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "message": "Hello, World!",
    "key": "my-secret-key",
    "signature": "8a7a79421413ad53b34dc84e5a1a7e34085d237e9e78b9a5c41f72a74e832c5c",
    "algorithm": "sha256"
  }'

import httpx

resp = httpx.post(
    "https://auth.toolkitapi.io/v1/auth/hmac-verify",
    json={
    "message": "Hello, World!",
    "key": "my-secret-key",
    "signature": "8a7a79421413ad53b34dc84e5a1a7e34085d237e9e78b9a5c41f72a74e832c5c",
    "algorithm": "sha256"
  },
)
print(resp.json())

const resp = await fetch("https://auth.toolkitapi.io/v1/auth/hmac-verify", {
  method: "POST",
  headers: {
    "Content-Type": "application/json",
  },
  body: JSON.stringify({
    "message": "Hello, World!",
    "key": "my-secret-key",
    "signature": "8a7a79421413ad53b34dc84e5a1a7e34085d237e9e78b9a5c41f72a74e832c5c",
    "algorithm": "sha256"
  }),
});
const data = await resp.json();
console.log(data);

# See curl example

Response 200 OK

{
  "valid": true
}

Try It Live

Description

Verify HMAC signatures using constant-time comparison to prevent timing attacks.

How to Use

1

1. Provide the original `message`, the `key` used for signing, and the `signature` to verify.

2

2. Set the `algorithm` to match what was used during signing (defaults to `sha256`).

3

3. Send a POST request. The response contains a `valid` boolean indicating whether the signature matches.

About This Tool

The Verify HMAC endpoint checks whether an HMAC signature is valid for a given message and secret key. It uses constant-time comparison to prevent timing attacks, where an attacker could deduce the correct signature by measuring response times.

This is the companion to the Generate HMAC endpoint. While you could compute an HMAC and compare strings yourself, naive string comparison is vulnerable to timing side-channels. This endpoint handles that securely for you.

Use this for verifying incoming webhook signatures, validating signed API requests, or checking message integrity in any HMAC-based authentication scheme.

Why Use This Tool

Webhook signature verification — Verify that incoming webhooks are from a trusted source
API request validation — Check HMAC headers on incoming API calls
Signed URL validation — Verify tamper-proof signed URLs
Message queue integrity — Validate signed messages pulled from queues
Cookie verification — Check that signed cookies haven't been tampered with

Frequently Asked Questions

Why not just compute the HMAC and compare strings myself?

Naive string comparison (e.g., `==`) leaks timing information — an attacker can determine how many bytes match by measuring response time. This endpoint uses `hmac.compare_digest()` for constant-time comparison, closing that side-channel.

What happens if the algorithm doesn't match?

If the signature was generated with `sha512` but you verify with `sha256`, the computed HMAC will differ and `valid` will be `false`. Always use the same algorithm for both signing and verification.

Can I verify signatures from third-party services?

Yes, as long as the service uses standard HMAC-SHA256/384/512 and you know the shared secret. This is common for verifying webhooks from Stripe, GitHub, Slack, and similar services.

Start using Verify HMAC now

Get your free API key and make your first request in under a minute.

Get Free API Key View Docs