Hmac Validation Issue Oauth-base flow

Shopify Partner
9 0 5


I have created hmac in java using below mentioned function in java:

private static String generateHmac(String message, String secret) {
String algorithm = "HmacSHA256";
String hash = "";
try {
Mac sha256_hmac = Mac.getInstance(algorithm);
SecretKeySpec secret_key = new SecretKeySpec(secret.getBytes(), algorithm);
hash = Base64.encodeBase64String(sha256_hmac.doFinal(message.getBytes()));
}catch (NoSuchAlgorithmException | InvalidKeyException e) {
throw new RuntimeException(e);
return hash;


message = "code=0907a61c0c8d55e99db179b68161bc00&"


req hmac = 700e2dadb827fcc8609e9d5ce208b2e9cdaab9df07390d2cbca10d7c328fc4bf

generated hmac = jxGGv65OkiJzVKaQR9PqrKr5xXgDZFAv/LUWFWj9eqY=

But generated hmac is different than the required.

Please help here.

Replies 2 (2)
Shopify Partner
17 2 2

Hi @sahil_197,

I'm unable to verify your work due to the missing shop and secret, but based on your example:

  1. Use Base16 encoding instead of Base64 when verifying the HMAC for OAuth requests/redirects. Your required HMAC looks to be encoded in base16, while the generated HMAC is in base64.
  2. You should explicitly set the UTF-8 charset rather than relying on it being the default charset.

Shameless plug: I created an open source library to handle HMAC verification here: Scenario #3 in the README should be helpful to you. Feel free to use it, and feedback/questions are welcome!

Shopify Partner
33 4 7

Thanks for the tips Alan. Now, it seems to be base 32.

EDIT: nvm, it is still base 16 (hex)