Understanding HMAC Internals Through Webhook Verification in Go

Was exploring how webhooks work internally

Go’s standard library is an absolute powerhouse
Got to know some important things
HMAC: its a way to create or verify a signature

The formula

HMAC(K,m) = H((K ⊕ opad) || H((K ⊕ ipad) || m))

ipad and opad are fixed padding constants:

ipad = 0x36
opad = 0x5c

1. At first, we take the key and then we do an XOR with the ipad.
2. then we concatenate the new key with the message.
3. then we make a hash of the full message.
4. after that, we take the original key and we do an XOR with the opad.
5. we concatenate the new key with the hash we got before.
6. then we hash the full combination again.