Understanding HMAC Internals Through Webhook Verification in Go
5/20/2026309 Reads


Was exploring how webhooks work internally
Go’s standard library is an absolute powerhouse
Got to know some important things
HMAC: its a way to create or verify a signature
The formula
ipad and opad are fixed padding constants:
- At first, we take the key and then we do an XOR with the
ipad. - then we concatenate the new key with the message.
- then we make a hash of the full message.
- after that, we take the original key and we do an XOR with the
opad. - we concatenate the new key with the hash we got before.
- then we hash the full combination again.
Comments
No one has commented yet! 🥲 That’s common… but you could be the first one to change.