Crypto & Security 1 credit COMPUTE

HMAC-SHA256 API

Generate HMAC-SHA256 message authentication codes via REST API. HMAC is the standard mechanism for verifying that a message was created by a party holding a shared secret key — used in webhook signature verification (Stripe, GitHub, Shopify), AWS request signing, and JWT validation.

Try it live →

How it works

POST your message data and a secret key. The API computes HMAC-SHA256 using Node.js crypto and returns the hex-encoded MAC. To verify a webhook, compute the HMAC of the request body with your webhook secret and compare it to the signature in the request header.

Use cases

Verify incoming Stripe, GitHub, or Shopify webhook signatures
Sign API requests with a shared secret for authentication
Generate time-limited tokens that can be verified without a database lookup
Implement request integrity checking in microservice communication

API Reference

POST https://slopshop.gg/v1/crypto-hmac
Authorization: Bearer YOUR_API_KEY
Content-Type: application/json

Input parameters

Parameter	Type	Required	Description
`input / data`	string	required	The input data to hash or process

Example response

{
  "data": {
    "result": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
    "algorithm": "hmac"
  },
  "meta": {
    "credits_used": 1,
    "engine": "real",
    "ms": 4
  }
}

Examples

Three real-world scenarios showing how developers use HMAC-SHA256 in production.

Example 1

Verify Stripe webhook

Validate an incoming Stripe webhook payload signature.

curl -X POST https://slopshop.gg/v1/crypto-hmac \
  -H "Authorization: Bearer $SLOPSHOP_KEY" \
  -H "Content-Type: application/json" \
  -d '{"data": "{\"id\":\"evt_123\",\"type\":\"payment_intent.succeeded\"}", "key": "whsec_your_stripe_secret"}'

Example 2

Sign API request

Sign a request body with a shared secret before sending to a partner API.

curl -X POST https://slopshop.gg/v1/crypto-hmac \
  -H "Authorization: Bearer $SLOPSHOP_KEY" \
  -H "Content-Type: application/json" \
  -d '{"data": "POST /api/orders 1705312800 {"sku":"ABC123"}", "key": "partner-api-secret"}'

Example 3

Generate one-time token

Create a time-limited token for a password reset link.

curl -X POST https://slopshop.gg/v1/crypto-hmac \
  -H "Authorization: Bearer $SLOPSHOP_KEY" \
  -H "Content-Type: application/json" \
  -d '{"data": "user:42:reset:1705312800", "key": "app-reset-secret"}'

Code examples

curl

curl -X POST https://slopshop.gg/v1/crypto-hmac \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"input": "your data here"}'

Python

import requests

response = requests.post(
    "https://slopshop.gg/v1/crypto-hmac",
    headers={"Authorization": "Bearer YOUR_API_KEY"},
    json={"input": "your data here"}
)
result = response.json()
print(result["data"])

Node.js

const response = await fetch("https://slopshop.gg/v1/crypto-hmac", {
  method: "POST",
  headers: {
    "Authorization": "Bearer YOUR_API_KEY",
    "Content-Type": "application/json"
  },
  body: JSON.stringify({ input: "your data here" })
});
const { data } = await response.json();
console.log(data);

CLI

# Install the Slopshop CLI
npm install -g slopshop

# Set your API key
export SLOPSHOP_KEY=your_api_key

# Call crypto-hmac
slop crypto-hmac '{"input": "your data here"}'

Pricing

Credits per call

credits

Cost per call

$0.001

at Starter tier

Tier

COMPUTE

Pure compute

Credits are purchased in bundles starting at $1 for 1,000 credits. All compute APIs like this one use 1 credit per call — that's $0.001. See all pricing tiers.

Related APIs in Crypto & Security

View the full API catalog · Try in playground · Documentation