2 min read
Definition
A naive string compare stops at the first differing byte, so its running time leaks how many leading bytes matched. A constant-time comparison always examines the full length, removing that timing side channel — essential when comparing an HMAC signature.
In plain terms
Comparing secrets in a way that does not leak them through timing.
Why it matters here
Use your language's constant-time helper (for example hmac.compare_digest) when verifying webhooks. See verifying a signature.
Related reading

HMAC signature
An HMAC signature is a keyed hash of a message that proves it came from a party holding the shared secret and…
Read →
Webhook
A webhook is a signed HTTP POST Credicorp sends to your URL when an event happens — a decision, a settlement,…
Read →
JWKS (JSON Web Key Set)
A JWKS is the published set of public keys that sign partner access tokens. Fetch it, cache by key ID, and…
Read →Funding for UK limited companies
Credicorp lends to your company, not to you personally — short-term working capital with no personal guarantee. See what your business could access.