HMAC combines a hash function (typically SHA-256) with a secret key in a specific way that's safe against length-extension attacks and other classical traps. Given the same secret + same message, two parties produce the same HMAC; without the secret, an attacker can't.
Webhook signatures are the most common HMAC use case for application developers. Stripe, GitHub, Shopify all sign their webhook bodies with HMAC-SHA256 using a secret you share with them. Your handler recomputes the HMAC and compares — if it matches, the body wasn't tampered with and was signed by the provider.
The four classic ways HMAC verification fails: wrong secret, body re-serialized after parsing (whitespace differs), header parsed wrong (forgot to strip prefix), encoding mismatch (hex vs base64). Stripe wins the prize for the body-mutation case.