>_
Sign inSign up

// SECRET_KEY_USE_CASE

Generate an HMAC Secret

HMAC secrets are shared private values used to sign and verify messages. They are common in webhook systems, API callbacks, and server-to-server integrations.

Open Secret Key Generator Test HMAC signatures

Recommended Variable

WEBHOOK_SECRET="..."

Recommended Format

Hex, 64 characters

How to do it

  1. STEP_01 Open the Secret Key Generator and choose the HMAC/Webhook Secret preset.
  2. STEP_02 Generate a 64-character hex secret.
  3. STEP_03 Store the secret on both the sender and receiver side of the integration.
  4. STEP_04 Use the HMAC Generator to test SHA-256 signatures before shipping.

FAQ

Is an HMAC secret the same as an API key?

Not exactly. API keys identify or authorize callers, while HMAC secrets sign payloads so the receiver can verify integrity and authenticity.

Should webhook secrets be unique per integration?

Yes. Use a different secret for each provider or environment so one leaked value does not compromise every webhook.