2 min read
Definition
HMAC combines a message with a secret key through a hash function to produce a signature only a holder of the secret could compute. The receiver recomputes it over the raw bytes and compares — in constant time — to authenticate the message.
In plain terms
A tamper-proof stamp that proves who sent a message, using a shared secret.
Why it matters here
It secures webhook delivery. See verifying a webhook signature.
Related reading

Webhook
A webhook is a signed HTTP POST Credicorp sends to your URL when an event happens — a decision, a settlement,…
Read →
Constant-time comparison
A constant-time comparison checks two values without returning early on the first mismatch, so an attacker…
Read →
At-least-once delivery
At-least-once delivery guarantees every event arrives one or more times — never zero, but sometimes twice…
Read →Funding for UK limited companies
Credicorp lends to your company, not to you personally — short-term working capital with no personal guarantee. See what your business could access.