What is HMAC Signature?
A cryptographic hash used to verify that a webhook request is authentic and has not been tampered with.
Definition
HMAC (Hash-based Message Authentication Code) signature is a cryptographic technique used to verify the authenticity and integrity of a webhook payload. The sender computes a hash of the request body using a shared secret key and includes it in a header (e.g., X-Signature). The receiver recomputes the hash with the same secret and compares it โ if they match, the request is authentic and unmodified.
Simple Analogy
Like a wax seal on a medieval letter โ only the sender has the unique seal, and any tampering with the letter would break the seal, proving the message is authentic and unaltered.
Why It Matters
HMAC signatures prevent unauthorized parties from triggering your cron job endpoints. Even if an attacker discovers your endpoint URL, they cannot forge a valid HMAC signature without the shared secret. This is more secure than API keys alone, because it also verifies the request body has not been tampered with in transit.
How to Verify
Implement signature verification on your endpoint: extract the signature header, compute HMAC-SHA256 of the request body with your shared secret, and compare. CronJobPro can send HMAC signatures with each request. Test by sending a request with an invalid signature and verifying your endpoint rejects it.
Common Mistakes
Using a weak hashing algorithm (MD5, SHA1) instead of SHA-256 or SHA-512. Comparing signatures with simple string equality (vulnerable to timing attacks) instead of constant-time comparison. Not including a timestamp in the signed payload, making signatures replayable indefinitely.
Best Practices
Use HMAC-SHA256 or SHA-512 with a 32+ character random secret. Use constant-time comparison to prevent timing attacks. Include a timestamp in the signed payload and reject requests older than 5 minutes to prevent replay attacks. Rotate secrets periodically.
HTTP Methods Guide
Learn about HTTP methods
Try it free โFrequently Asked Questions
What is HMAC Signature?
HMAC (Hash-based Message Authentication Code) signature is a cryptographic technique used to verify the authenticity and integrity of a webhook payload. The sender computes a hash of the request body using a shared secret key and includes it in a header (e.g., X-Signature). The receiver recomputes the hash with the same secret and compares it โ if they match, the request is authentic and unmodified.
Why does HMAC Signature matter for cron jobs?
HMAC signatures prevent unauthorized parties from triggering your cron job endpoints. Even if an attacker discovers your endpoint URL, they cannot forge a valid HMAC signature without the shared secret. This is more secure than API keys alone, because it also verifies the request body has not been tampered with in transit.
What are best practices for HMAC Signature?
Use HMAC-SHA256 or SHA-512 with a 32+ character random secret. Use constant-time comparison to prevent timing attacks. Include a timestamp in the signed payload and reject requests older than 5 minutes to prevent replay attacks. Rotate secrets periodically.
Related Terms
Webhook Signature Verification
Validating that an incoming webhook request is authentic by checking its cryptographic signature.
Authentication
Verifying the identity of a user or system making a request to your endpoint.
Webhook
An HTTP callback that automatically sends data to a URL when a specific event occurs.
Secret
Any sensitive credential โ passwords, API keys, tokens โ that must be protected from exposure.