Verify Klarna Webhook Signatures

Klarna signs webhook notifications with HMAC-SHA256 over the raw JSON body using a signing key you generate when registering the webhook, and sends the hex digest in the Klarna-Signature header. The Klarna-Signing-Key-Id header tells you which key was used. Paste the raw body, the signing key and the signature below.

Paste the Klarna-Signature value above to compare

Everything runs in your browser — the payload and secret never leave this page. Want to verify a different provider? See the webhook signature verifier hub or the generic HMAC generator.

How Klarna signs webhooks

  1. Read Klarna-Signing-Key-Id from the request and look up the matching signing key you stored at registration time.
  2. Compute HMAC-SHA256 of the raw JSON request body using that signing key.
  3. Hex-encode the digest and compare it to Klarna-Signature with a constant-time check.
  4. On mismatch, reject with 400; keep old keys available during rotation so in-flight notifications still verify.

Verify Klarna signatures in code

Node.js
const crypto = require('crypto');

// Look up the signing key by the Klarna-Signing-Key-Id header.
function isValidKlarnaWebhook(rawBody, signature, signingKey) {
  const expected = crypto
    .createHmac('sha256', signingKey)
    .update(rawBody)
    .digest('hex');
  return crypto.timingSafeEqual(
    Buffer.from(expected), Buffer.from(signature));
}
Python
import hashlib, hmac

def is_valid_klarna_webhook(raw_body: bytes, signature: str,
                            signing_key: str) -> bool:
    expected = hmac.new(signing_key.encode(), raw_body,
                        hashlib.sha256).hexdigest()
    return hmac.compare_digest(expected, signature)

Frequently asked questions

What is the Klarna-Signing-Key-Id header for?

It identifies which signing key produced the signature (keys look like krn:partner:global:notification:signing-key:…). Store the key id → key mapping when you register the webhook and use it to pick the right key before verifying.

Can I retrieve a lost signing key?

No — Klarna shows the signing key only when you generate it. If it is lost, generate a new key and update your verifier; support both keys briefly so in-flight notifications still pass.

What should my endpoint return?

Acknowledge quickly with 200/201/202/204 — do the real work asynchronously. Klarna retries failed deliveries, so handlers must be idempotent.