An HMAC signature (hash-based message authentication code) is how a receiver proves that a message came from who it claims to and was not tampered with in transit. The sender and receiver share a secret out of band. For each message, the sender computes HMAC-SHA256(secret, payload) and includes the result in a header. The receiver recomputes the same value using the raw payload and its copy of the secret; if the two match, the message is authentic.
For webhooks, this is essential: a webhook URL is a public POST endpoint, and without a signature anyone who learns the URL could forge requests to it. Verifying the HMAC turns "any request that hits this URL" into "a request I can prove the sender produced."
Three details make an implementation correct: sign the raw request bytes (not a re-serialized object), compare in constant time to avoid timing attacks, and include a timestamp so old captured deliveries cannot be replayed. The webhooks guide and the HMAC verification walkthrough show working receivers.
Related terms
Webhook
An automated HTTP POST that a service sends to a URL you control whenever an event happens, so your systems react in near real time without polling.
Spam filtering
The layered techniques a form backend uses to keep automated and unwanted submissions out of your inbox without blocking real people.
Read the full guide