HMAC verify

POST /api/hmac-verify

Verify an HMAC signature against a payload + secret. Constant-time comparison so timing attacks cannot leak the signature byte-by-byte.

Recomputes an HMAC over the payload + secret and compares it against the signature you supply. Returns `{valid: true}` if they match, `{valid: false}` otherwise. The comparison is constant-time, so an attacker probing for the right signature byte-by-byte cannot use response timing as a side channel. Accepts the signature in hex, standard base64, or URL-safe base64 — same encodings `hmac-sign` produces.

Inputs

Name	Type	Default	Description
data*	string	—	Message that was signed.
secret*	string	—	Shared secret — must match the signer's.
signature*	string	—	Candidate signature to verify.
algorithm	enum (SHA-1 \| SHA-256 \| SHA-384 \| SHA-512)	"SHA-256"	Hash algorithm — must match the signer.
signatureEncoding	enum (hex \| base64 \| base64url)	"hex"	Encoding of the supplied signature.
dataFormat	enum (text \| base64)	"text"	How `data` is encoded. `text` = UTF-8; `base64` for binary.
secretFormat	enum (text \| base64)	"text"	How `secret` is encoded.

Response

Modes: json. Cache: not cacheable.