hmac-background-image
Technology

HMAC Isn’t Encryption (And That’s Why Most Implementations Are Broken)

Yusufhan Sacak
3 min read
Back to Insights
Share:

I’ve been working on a Salesforce → Workato integration recently.

HMAC-signed webhooks, canonical strings, timestamps, nonces — the usual stuff.

And once again, I ran into the same pattern I see everywhere:

People add HMAC…

…but don’t actually verify it.

So let’s clear something up.

HMAC does not encrypt anything

This is the first misunderstanding.

HMAC does not hide your payload.

Your POST body is visible:

  • In Salesforce
  • In Workato
  • In your gateway
  • In logs

That’s normal.

Payload confidentiality is provided by HTTPS (TLS).

Not HMAC.

If someone tells you HMAC “encrypts” your data — they’re already off track.

So what is HMAC actually for?

HMAC gives you two guarantees:

1. Authentication

The request really came from who you expect.

2. Integrity

The body wasn’t modified in transit.

That’s it.

In practical terms:

  • Someone can’t spoof requests.
  • Someone can’t change amount: 100 into amount: 100000.
  • Someone can’t replay the same request forever.

That’s the whole point.

Not secrecy.

Trust.

The basic flow (simplified)

Sender (Salesforce):

body + secret → HMAC → signature

Receiver (Workato / gateway):

body + secret → expected_signature

Then:

expected == received ?

If yes:

  • Request is legitimate
  • Payload is untouched

If no:

  • Drop it.

Simple.

If you don’t verify, you don’t have HMAC

This is where most systems fail.

I see this constantly:

  • Signature header is present ✅
  • Timestamp header exists ✅
  • Nonce header exists ✅

But…

  • No signature comparison ❌
  • No timestamp window ❌
  • No replay protection ❌

At that point, your system is effectively:

“Accept every POST.”

The HMAC is just decoration.

Adding a signature header without verification is security theatre.

What attacks does HMAC actually prevent?

When implemented properly:

Fake requests

Attackers can’t forge valid calls without the secret.

Payload manipulation

Any change breaks the signature.

Replay attacks

With timestamp + nonce, old requests get rejected.

These are real-world problems.

HMAC solves them.

But only if you finish the job.

A practical lesson from my Workato setup

Workato doesn’t natively verify HMAC.

So I had to:

  • Capture the raw body (not parsed JSON)
  • Rebuild the canonical string
  • Compute HMAC manually in Ruby
  • Compare signatures
  • Stop the job on mismatch

Only then did I actually have security.

Until that moment, everything “looked” secure — but wasn’t.

That’s the trap.

Production reality

For serious systems, I don’t even recommend verifying HMAC inside automation tools.

The cleaner architecture is:

Salesforce

Edge / Gateway
- HMAC verification
- timestamp window
- nonce storage
- audit logging

Workato

Your automation layer should receive already trusted requests.

Not perform cryptography.

Final takeaway

HMAC doesn’t hide your data.

HMAC tells you:

This request really came from here — and nobody touched it on the way.

And unless you explicitly verify that…

You don’t have HMAC.

You just have headers.

yusufhan

Yusufhan Sacak

Software Engineer

Yusufhan Sacak is a product-focused software engineer building scalable web platforms and automation-ready systems. He specialises in performance, clean architecture, and shipping reliable, production-ready products for professional services teams.

Tags

#Cybersecurity#Webhooks#HMAC#Software Engineering#API Security#System Design#Cloud Architecture

Categories

Technology
Share:

Explore More Insights

View All
digital-transformation-tools-business
Resources

rubica Field Notes

Practical field notes on how firms use Salesforce and Workato to simplify onboarding, operations and reporting, without reinventing systems or over-automating.

rubica Team