# Security & HMAC
{% stepper %}
{% step %}
**HMAC Signature Verification**
HMAC (Hash-based Message Authentication Code) ensures that webhooks are authentic and haven't been tampered with. Every webhook request includes a signature that we verify using your secret key.
```
How it works:
1. Your store creates a signature using HMAC-SHA256 and your secret key
2. The signature is sent in the webhook header (e.g., X-Signature)
3. Our system recalculates the signature using the same secret
4. If signatures match, the webhook is processed
5. If they don't match, the request is rejected
```
{% endstep %}
{% step %}
Security Best Practices
* [ ] **Strong Secrets:** Use long, random HMAC secrets
* [ ] **HTTPS Only:** Always use secure connections
* [ ] **Secret Rotation:** Regularly update your secrets
* [ ] **IP Whitelisting:** Restrict webhook sources
* [ ] **Rate Limiting:** Prevent abuse and spam
* [ ] **Logging:** Monitor webhook activity
{% endstep %}
{% step %}
**Supported Algorithms**
SHA-1
Fast, legacy support
SHA-256
Recommended, secure
SHA-512
Maximum security
{% endstep %}
{% endstepper %}
{% hint style="warning" %}
**Security Warning:** Never share your HMAC secret publicly or commit it to version control. Use environment variables or secure secret management systems.
{% endhint %}
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://docs.jnkie.com/shop-webhooks/security-and-hmac.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.