Sign In Get Started

security

sec-hmac-verify Edge Function — Security

Security

Verifies an HMAC-SHA256 or HMAC-SHA512 signature using timing-safe Web Crypto comparison — never throws.

@navin verified

• Updated Mar 12, 2026

Edge function sec-hmac-verify Verifies an HMAC-SHA256 or HMAC-SHA512 signature using timing-safe Web Crypto comparison — never throws.. Deployed on Cloudflare Workers — zero cold starts, globally distributed. Mount it via your Aerostack workspace to call it from any AI agent.

terminal — aerostack cli

$


npx aerostack add  navin/sec-hmac-verify

smart_toy

Use with AI Assistants

MCP

Connect Claude, Cursor, or any MCP-compatible client — then call this function by slug

① Add MCP Server

Add this once — access all Aerostack functions from your AI tool.

claude_desktop_config.json

{
  "mcpServers": {
    "aerostack": {
      "url": "https://mcp.aerostack.dev",
      "type": "http"
    }
  }
}

② Call this function

Ask your AI to use the call_function tool with this slug:

call_function

call_function({
  slug: "sec-hmac-verify",
  args: {
    "payload": "example_payload",
    "signature": "example_signature",
    "secret": "example_secret",
    "algorithm": "SHA-256"
  }
})

sec-hmac-verify — Verify HMAC signatures (timing-safe)

Validates an HMAC-SHA256 or HMAC-SHA512 signature against a payload using crypto.subtle.verify — never vulnerable to timing attacks, never throws.

API

`POST /api/sec-hmac-verify`

Request body

Field	Type	Required	Default	Description
`payload`	string	✅	—	The original string that was signed
`signature`	string	✅	—	Hex-encoded HMAC signature to verify
`secret`	string	✅	—	Shared HMAC secret
`algorithm`	`"SHA-256"` \| `"SHA-512"`	❌	`"SHA-256"`	Hash algorithm

Success response (200)

{
  "success": true,
  "data": {
    "valid": true
  }
}

Error responses

Code	HTTP	When
`INVALID_INPUT`	400	Missing required field
`INTERNAL_ERROR`	500	Unexpected error

Usage

cURL

curl -X POST "$FUNCTION_URL" \
  -H "Content-Type: application/json" \
  -d '{"payload": "webhook body", "signature": "abc123...", "secret": "webhook-secret"}'

TypeScript / JavaScript (HTTP)

const response = await fetch(FUNCTION_URL, {
  method: 'POST',
  headers: { 'Content-Type': 'application/json' },
  body: JSON.stringify({
    payload: rawBody,
    signature: req.headers['x-signature'],
    secret: WEBHOOK_SECRET,
  }),
});
const { data } = await response.json();
if (!data.valid) return new Response('Forbidden', { status: 403 });

Direct import (Node / Bun / Deno)

import { hmacVerify } from '@aerostack/functions/sec-hmac-verify';

const { valid } = await hmacVerify({
  payload: rawBody,
  signature: req.headers['x-signature'],
  secret: process.env.HMAC_SECRET!,
});

Use Cases

Verifying incoming webhooks from Stripe, GitHub, Shopify, etc.
Validating signed API requests in server-to-server communication
Checking that email verification or password reset links haven't been tampered with
Ensuring data integrity on cached or stored values

Notes

Uses crypto.subtle.verify — timing-safe by design, prevents signature oracle attacks
Never throws — all failure modes return { valid: false }
Pair with sec-hmac-sign to produce signatures in the same hex format
Always use sec-hmac-verify instead of string comparison for security

Metadata

upgrade Version 1.0.0

gavel License MIT

language Language typescript

cloud Provider aerostack

Tags

security

Publisher

@navin verified

deployed_code

Build and publish your own functions

Write a TypeScript function, deploy it to the edge, and share it with thousands of developers — in minutes.

Publish a Function → Read the docs

More Security Functions

Browse Security Functions →

sec-api-key-generate

by @navin

Generates a cryptographically random API key with a custom prefix using a base62 alphabet — no ambiguous characters, URL-safe.

sec-cors-validate

by @navin

Validates a request Origin against an allow list and returns the correct CORS response headers to set — supports wildcards and credentials.

sec-csp-generate

by @navin

Generates a Content-Security-Policy header value from a structured directives object — supports report-only mode and report-uri.

sec-decrypt-aes

by @navin

Decrypts an AES-256-GCM encrypted bundle produced by sec-encrypt-aes — key is derived via SHA-256, auth tag is verified automatically.

sec-encrypt-aes

by @navin

Encrypts a string with AES-256-GCM using Web Crypto — key is derived via SHA-256, output is a portable IV:ciphertext bundle.

sec-hash-sha256

by @navin

Hashes a string using SHA-256 via the Web Crypto API. Supports hex and base64 output. Zero dependencies.

Frequently asked questions

What does the sec-hmac-verify function do? +

sec-hmac-verify is a serverless edge function for security automation written in aerostack. Deploy it to Cloudflare Workers via your Aerostack workspace.

How do I deploy the sec-hmac-verify function? +

Install the Aerostack CLI and run: ```bash aerostack deploy function @navin/sec-hmac-verify ``` It will be live on Cloudflare Workers in seconds.

What runtime does sec-hmac-verify use? +

sec-hmac-verify runs on aerostack on the Cloudflare Workers edge runtime — zero cold starts, globally distributed.

Can I customise the sec-hmac-verify function? +

Yes. Fork the function from your Aerostack dashboard, modify the source, and redeploy. All changes are version-controlled.