Generador de Firma de API
Guía
Generador de Firma de API
Generate HMAC-based API request signatures for webhook verification, API authentication, and request signing. Supports HMAC-SHA1, HMAC-SHA256, and HMAC-SHA512 with secret keys in plain text or hexadecimal format, outputting both hex and Base64 signatures for immediate use in HTTP headers or query parameters.
Cómo utilizar
Enter the message or data to sign (typically a request body, URL, or canonical string), provide your secret key, select the key format (plain text or hex), and choose the HMAC algorithm. The signature appears instantly in both hex and Base64 formats. Use the built-in example to see a real-world webhook signing scenario.
Características
- 3 algorithms – HMAC-SHA1, HMAC-SHA256 (default), HMAC-SHA512
- Dual key formats – plain text or hexadecimal secret keys
- Dual output – signature in both hex and Base64 encoding
- Real-time generation – signature updates instantly as you type
- Example preset – one-click webhook signing example to get started
- Solo del lado del cliente – your secret key never leaves the browser
Preguntas frecuentes
-
How does HMAC-based API authentication work?
HMAC (Hash-based Message Authentication Code) authentication works by both parties sharing a secret key. The sender computes HMAC(secret, message) and sends the result as a signature header. The receiver independently computes the same HMAC and compares it to the received signature. Because only parties with the secret key can produce a valid signature, a matching HMAC proves authenticity and integrity of the message.
-
What is the difference between HMAC-SHA256 and a plain SHA256 hash?
A plain SHA256 hash is deterministic and public — anyone can compute SHA256(data). HMAC-SHA256 incorporates a secret key into the computation using a two-pass construction: HMAC(k, m) = H((k ⊕ opad) || H((k ⊕ ipad) || m)). This means only parties with the secret key can produce or verify the signature, making it suitable for authentication where plain hashes are not.
-
Why do webhook systems use HMAC signatures?
Webhooks deliver HTTP POST requests from a server to your endpoint. Without authentication, any server could send fake events. HMAC signatures solve this: the webhook provider signs the payload with a shared secret, and your server re-computes the HMAC to verify authenticity before processing the event. GitHub, Stripe, Shopify, and most modern webhook systems use this pattern with HMAC-SHA256.
-
What should I use as the message for API request signing?
The message content varies by API. Common approaches include: signing just the request body (Stripe, GitHub webhooks), signing a canonical string of method + URL + timestamp + body (AWS Signature V4), or signing a sorted query string. Always check your API provider’s documentation for their exact canonical string format, as even whitespace differences will produce a different signature.
Instalar extensiones
Agregue herramientas IO a su navegador favorito para obtener acceso instantáneo y búsquedas más rápidas
恵 ¡El marcador ha llegado!
Marcador es una forma divertida de llevar un registro de tus juegos, todos los datos se almacenan en tu navegador. ¡Próximamente habrá más funciones!
Herramientas clave
Ver todo Los recién llegados
Ver todoActualizar: Nuestro última herramienta fue agregado el 24 de mar de 2026
Involucrarse
Ayúdanos a seguir brindando valiosas herramientas gratuitas
