HMAC sign

POST /api/hmac-sign

Compute HMAC signatures over an HTTP API. SHA-1, SHA-256, SHA-384, or SHA-512 with a shared secret. Returns the signature in hex, standard base64, and URL-safe base64 — match whichever your verifier expects.

Computes a Message Authentication Code (HMAC) over arbitrary input using a shared secret. The output value is the same one your verifier will recompute on its side — match the bytes and the message is authenticated. Common use cases: - **Webhook signing** — Stripe, GitHub, Slack, Twilio etc. all attach an HMAC over the payload so receivers can confirm it was not tampered with. - **Request signing** — AWS Sigv4, S3 presigned URLs, and many internal RPC schemes use HMAC over a canonical request representation. The output is returned in three encodings (hex, standard base64, URL-safe base64) so you can match whatever your verifier expects without re-encoding.

Inputs

Name	Type	Default	Description
data*	string	—	Message to sign (UTF-8 string by default; base64 if dataFormat=base64).
secret*	string	—	Shared secret (UTF-8 string by default; base64 if secretFormat=base64).
algorithm	enum (SHA-1 \| SHA-256 \| SHA-384 \| SHA-512)	"SHA-256"	Hash algorithm.
dataFormat	enum (text \| base64)	"text"	How `data` is encoded. `text` = UTF-8; `base64` for binary inputs.
secretFormat	enum (text \| base64)	"text"	How `secret` is encoded. `text` = UTF-8; `base64` for binary keys.

Response

Modes: json. Cache: yes (24h TTL).

Code samples

Built from the sha256-default example.


curl -X POST https://api.xtract.bot/api/hmac-sign \
  -H "Content-Type: application/json" \
  -H "Accept: application/json" \
  -H "X-Account-Id: $XTRACT_ACCOUNT_ID" \
  -H "X-Api-Key: $XTRACT_API_KEY" \
  -d '{
  "data": "{\"event\":\"order.created\",\"id\":\"ord_123\"}",
  "secret": "whsec_replace_me_in_production"
}'