hmac_sha256

Generates an HMAC-SHA256 hash of a message using a secret key. Commonly used for webhook signature verification, API authentication, and secure token generation.

{% assign signature = "message body" | hmac_sha256: "secret_key" %}
{% log signature %}

Syntax

{{ message | hmac_sha256: key }}
{{ message | hmac_sha256: key, encoding }}

Parameter

Description

message

The string to hash

key

The secret key used for hashing

encoding

Output encoding: "hex" (default), "base64", or "utf8"

Return Value

Returns the HMAC-SHA256 hash as a string in the specified encoding.

Examples

Generate a hex-encoded signature (default):

{% assign signature = request.body | hmac_sha256: "my_secret" %}
{% log signature %}

Output:

a1b2c3d4e5f6...

Generate a base64-encoded signature:

{% assign signature = request.body | hmac_sha256: "my_secret", "base64" %}
{% log signature %}

Verify a Shopify webhook signature:

{% assign computed = request.raw_body | hmac_sha256: SHOPIFY_WEBHOOK_SECRET, "base64" %}
{% if computed == request.headers["X-Shopify-Hmac-SHA256"] %}
  {% log "Webhook signature valid" %}
{% else %}
  {% log "Invalid webhook signature!" %}
{% endif %}

Sign an API request:

{% capture string_to_sign %}{{ timestamp }}{{ request_body }}{% endcapture %}
{% assign signature = string_to_sign | hmac_sha256: API_SECRET_KEY %}

{% json headers %}
{
  "X-Signature": "{{ signature }}",
  "X-Timestamp": "{{ timestamp }}"
}
{% endjson %}

Notes

Default encoding is hex
Supported encodings: hex, base64, utf8
The secret key should be stored in global variables, not hardcoded in scripts
See also: sha1, base64_encode

Previousgroup_by_exp Nexthttp

Last updated 4 days ago

hashtagSyntax

hashtagReturn Value

hashtagExamples

hashtagNotes

Syntax

Return Value

Examples

Notes