ruby python 18 lines · 2 tabs

HMAC signed API requests for webhook and partner integrity

Kai Nakamura Apr 2026
2 tabs
timestamp = request.headers.fetch('X-Signature-Timestamp')
signature = request.headers.fetch('X-Signature')
payload = request.raw_post

data = "#{timestamp}.#{payload}"
expected = OpenSSL::HMAC.hexdigest('SHA256', ENV.fetch('WEBHOOK_SECRET'), data)

unless ActiveSupport::SecurityUtils.secure_compare(signature, expected)
  head :unauthorized
end
2 files · ruby, python Explain with highlit

When I need lightweight message integrity without standing up a full asymmetric trust model, HMAC signing is a solid tool. The important details are canonicalization, timestamp freshness, and constant-time comparison. Most failed implementations get the signing process almost right and that is not good enough.

Share this code

Here's the card — post it anywhere.

HMAC signed API requests for webhook and partner integrity — share card
Link copied