Download CV
← Back to All Blogs

Understanding HMAC Internals Through Webhook Verification in Go

5/20/2026309 Reads
Understanding HMAC Internals Through Webhook Verification in Go
Understanding HMAC Internals Through Webhook Verification in Go

Was exploring how webhooks work internally

Go’s standard library is an absolute powerhouse
Got to know some important things
HMAC: its a way to create or verify a signature

The formula

bash
HMAC(K,m) = H((K ⊕ opad) || H((K ⊕ ipad) || m))

ipad and opad are fixed padding constants:

bash
ipad = 0x36opad = 0x5c
  1. At first, we take the key and then we do an XOR with the ipad.
  2. then we concatenate the new key with the message.
  3. then we make a hash of the full message.
  4. after that, we take the original key and we do an XOR with the opad.
  5. we concatenate the new key with the hash we got before.
  6. then we hash the full combination again.

Comments

No one has commented yet! 🥲 That’s common… but you could be the first one to change.