HMAC (Hash-based Message Authentication Code)
// Definition
A cryptographic construction that produces a fixed-length authentication tag from a message and a shared secret key, using a hash function (typically SHA-256). Unlike a plain hash, the secret prevents an attacker who doesn't know the key from forging a valid tag — even if they intercept the payload. HMAC-SHA256 is the standard webhook signature scheme used by Stripe, GitHub, Shopify, and most webhook providers: the sender signs the payload with the shared secret; the receiver recomputes HMAC(payload, shared_secret) and compares it to the signature header value. Testing considerations: verify the receiver recomputes independently (not just trusts the header), test correct signature → accepted, incorrect signature → 4xx, tampered payload → rejected, replayed valid signature after the expiry window → rejected.
// Related terms
Signature Verification
The process of recomputing a cryptographic signature from a known algorithm, key, and payload, then comparing the result to the signature provided by the sender. If they match, the payload is authentic (originated from a party holding the secret) and unmodified in transit. Webhook signature verification uses HMAC-SHA256: the receiver recomputes HMAC(payload, shared_secret) and compares it to the signature header (e.g. X-Hub-Signature-256, Stripe-Signature, X-Shopify-Hmac-Sha256). Testing checklist: correct signature → accepted (200); tampered payload with original signature → rejected (401/400); missing signature header → rejected; signature for a different payload → rejected; replayed valid signature after expiry window → rejected.
Webhook
An HTTP callback that a service POSTs to a registered URL when an event occurs — Stripe payment succeeded, GitHub PR merged. Tests must handle delivery delays, retries, signature verification, and out-of-order events.
Payload
The data carried in the body of a request or response, typically JSON or XML. The 'what' an HTTP message is communicating — distinct from headers and metadata.
Token
A portable credential — typically a signed string — that a server issues and a client presents on subsequent requests to prove identity or authorisation. Tokens are stateless alternatives to server-side sessions; the server can verify them without a database lookup. Common forms: opaque bearer tokens (random strings referenced in a database), JWTs (self-contained with claims and a signature), and OAuth access tokens (short-lived grants scoped to specific resources). Key testing considerations: token expiry, revocation, scope enforcement, and transmission security (HTTPS-only, no logging).