Signature Verification

HMAC (Hash-based Message Authentication Code)

A cryptographic construction that produces a fixed-length authentication tag from a message and a shared secret key, using a hash function (typically SHA-256). Unlike a plain hash, the secret prevents an attacker who doesn't know the key from forging a valid tag — even if they intercept the payload. HMAC-SHA256 is the standard webhook signature scheme used by Stripe, GitHub, Shopify, and most webhook providers: the sender signs the payload with the shared secret; the receiver recomputes HMAC(payload, shared_secret) and compares it to the signature header value. Testing considerations: verify the receiver recomputes independently (not just trusts the header), test correct signature → accepted, incorrect signature → 4xx, tampered payload → rejected, replayed valid signature after the expiry window → rejected.

Webhook

An HTTP callback that a service POSTs to a registered URL when an event occurs — Stripe payment succeeded, GitHub PR merged. Tests must handle delivery delays, retries, signature verification, and out-of-order events.

Payload

The data carried in the body of a request or response, typically JSON or XML. The 'what' an HTTP message is communicating — distinct from headers and metadata.

Token

A portable credential — typically a signed string — that a server issues and a client presents on subsequent requests to prove identity or authorisation. Tokens are stateless alternatives to server-side sessions; the server can verify them without a database lookup. Common forms: opaque bearer tokens (random strings referenced in a database), JWTs (self-contained with claims and a signature), and OAuth access tokens (short-lived grants scoped to specific resources). Key testing considerations: token expiry, revocation, scope enforcement, and transmission security (HTTPS-only, no logging).