Verify Klarna Webhook Signatures
Klarna signs webhook notifications with HMAC-SHA256 over the raw JSON body using a signing key you generate when registering the webhook, and sends the hex digest in the Klarna-Signature header. The Klarna-Signing-Key-Id header tells you which key was used. Paste the raw body, the signing key and the signature below.
Everything runs in your browser — the payload and secret never leave this page. Want to verify a different provider? See the webhook signature verifier hub or the generic HMAC generator.
How Klarna signs webhooks
- Read
Klarna-Signing-Key-Idfrom the request and look up the matching signing key you stored at registration time. - Compute HMAC-SHA256 of the raw JSON request body using that signing key.
- Hex-encode the digest and compare it to
Klarna-Signaturewith a constant-time check. - On mismatch, reject with
400; keep old keys available during rotation so in-flight notifications still verify.
Verify Klarna signatures in code
const crypto = require('crypto');
// Look up the signing key by the Klarna-Signing-Key-Id header.
function isValidKlarnaWebhook(rawBody, signature, signingKey) {
const expected = crypto
.createHmac('sha256', signingKey)
.update(rawBody)
.digest('hex');
return crypto.timingSafeEqual(
Buffer.from(expected), Buffer.from(signature));
}import hashlib, hmac
def is_valid_klarna_webhook(raw_body: bytes, signature: str,
signing_key: str) -> bool:
expected = hmac.new(signing_key.encode(), raw_body,
hashlib.sha256).hexdigest()
return hmac.compare_digest(expected, signature)Frequently asked questions
What is the Klarna-Signing-Key-Id header for?
It identifies which signing key produced the signature (keys look like krn:partner:global:notification:signing-key:…). Store the key id → key mapping when you register the webhook and use it to pick the right key before verifying.
Can I retrieve a lost signing key?
No — Klarna shows the signing key only when you generate it. If it is lost, generate a new key and update your verifier; support both keys briefly so in-flight notifications still pass.
What should my endpoint return?
Acknowledge quickly with 200/201/202/204 — do the real work asynchronously. Klarna retries failed deliveries, so handlers must be idempotent.
Verify other providers
Receiving Klarna webhooks on a server behind a firewall or on localhost? Webhook Relay can forward them to your internal service and even verify or transform them before delivery.
