Cheng Chen Liu

11 minute read

Using KMF for HMAC Verification Hash-based message authentication code (or HMAC) is a common way to validate the authenticity of messages sent over the internet. For example, GitHub and Gitea rely on HMAC (SHA256) to secure webhooks. My team wanted to sync our Gitea Issues and Pull Requests to our ServiceNow instance, thus we wanted a Scripted REST API that verifies HMAC for those webhook messages. There have been a few posts describing how HMAC verification can be implemented (e.