Générateur de signature d'API
Guide
Générateur de signature d'API
Generate HMAC-based API request signatures for webhook verification, API authentication, and request signing. Supports HMAC-SHA1, HMAC-SHA256, and HMAC-SHA512 with secret keys in plain text or hexadecimal format, outputting both hex and Base64 signatures for immediate use in HTTP headers or query parameters.
Comment utiliser
Enter the message or data to sign (typically a request body, URL, or canonical string), provide your secret key, select the key format (plain text or hex), and choose the HMAC algorithm. The signature appears instantly in both hex and Base64 formats. Use the built-in example to see a real-world webhook signing scenario.
Caractéristiques
- 3 algorithms – HMAC-SHA1, HMAC-SHA256 (default), HMAC-SHA512
- Dual key formats – plain text or hexadecimal secret keys
- Dual output – signature in both hex and Base64 encoding
- Real-time generation – signature updates instantly as you type
- Example preset – one-click webhook signing example to get started
- Côté client uniquement – your secret key never leaves the browser
FAQ
-
How does HMAC-based API authentication work?
HMAC (Hash-based Message Authentication Code) authentication works by both parties sharing a secret key. The sender computes HMAC(secret, message) and sends the result as a signature header. The receiver independently computes the same HMAC and compares it to the received signature. Because only parties with the secret key can produce a valid signature, a matching HMAC proves authenticity and integrity of the message.
-
What is the difference between HMAC-SHA256 and a plain SHA256 hash?
A plain SHA256 hash is deterministic and public — anyone can compute SHA256(data). HMAC-SHA256 incorporates a secret key into the computation using a two-pass construction: HMAC(k, m) = H((k ⊕ opad) || H((k ⊕ ipad) || m)). This means only parties with the secret key can produce or verify the signature, making it suitable for authentication where plain hashes are not.
-
Why do webhook systems use HMAC signatures?
Webhooks deliver HTTP POST requests from a server to your endpoint. Without authentication, any server could send fake events. HMAC signatures solve this: the webhook provider signs the payload with a shared secret, and your server re-computes the HMAC to verify authenticity before processing the event. GitHub, Stripe, Shopify, and most modern webhook systems use this pattern with HMAC-SHA256.
-
What should I use as the message for API request signing?
The message content varies by API. Common approaches include: signing just the request body (Stripe, GitHub webhooks), signing a canonical string of method + URL + timestamp + body (AWS Signature V4), or signing a sorted query string. Always check your API provider’s documentation for their exact canonical string format, as even whitespace differences will produce a different signature.
Installez nos extensions
Ajoutez des outils IO à votre navigateur préféré pour un accès instantané et une recherche plus rapide
恵 Le Tableau de Bord Est Arrivé !
Tableau de Bord est une façon amusante de suivre vos jeux, toutes les données sont stockées dans votre navigateur. D'autres fonctionnalités arrivent bientôt !
Outils essentiels
Tout voir Nouveautés
Tout voirMise à jour: Notre dernier outil was added on Mar 24, 2026
Impliquez-vous
Aidez-nous à continuer à fournir des outils gratuits et précieux
