What is HMAC?

HMAC (Hash-based Message Authentication Code) is a cryptographic technique that combines a secret key with a hash function to verify both the integrity and authenticity of a message. It ensures that data has not been tampered with and comes from a trusted source.

Quick Facts

Full NameHash-based Message Authentication Code
Created1996 (RFC 2104)
SpecificationOfficial Specification

How It Works

HMAC was published in 1996 and is defined in RFC 2104. It works by hashing the message twice with the secret key in a specific way, making it resistant to length extension attacks that affect plain hash functions. HMAC can use any cryptographic hash function like SHA-256 or SHA-512. The resulting code is a fixed-size value that changes completely if either the message or key is modified. HMAC is widely used in API authentication, JWT signatures, and secure communication protocols.

Key Characteristics

  • Combines secret key with hash function
  • Provides both integrity and authenticity
  • Resistant to length extension attacks
  • Can use any hash function (SHA-256, SHA-512)
  • Fixed-size output regardless of input
  • Requires shared secret between parties

Common Use Cases

  1. API request signing
  2. JWT signature verification
  3. Webhook payload verification
  4. Secure cookie signing
  5. Message authentication in protocols

Example

loading...
Loading code...

Frequently Asked Questions

What is the difference between HMAC and a regular hash?

A regular hash only provides data integrity (detecting if data was modified), while HMAC provides both integrity and authenticity (verifying the data came from a trusted source with the secret key). HMAC uses a secret key mixed with the hash function, so only parties with the key can generate or verify the HMAC value.

Why is HMAC more secure than simply hashing a message with a key?

Simply concatenating a key with a message before hashing (e.g., hash(key + message)) is vulnerable to length extension attacks, where attackers can append data to the message without knowing the key. HMAC's double-hashing construction with inner and outer padding specifically prevents this attack and provides proven security guarantees.

Which hash algorithm should I use with HMAC?

HMAC-SHA256 is the most widely recommended choice, offering a good balance of security and performance. HMAC-SHA512 provides extra security margin for highly sensitive applications. Avoid HMAC-MD5 and HMAC-SHA1 for new implementations, though they remain more secure than the underlying hash functions when used in HMAC construction.

How is HMAC used in API authentication?

In API authentication, the client creates an HMAC signature by hashing request details (method, path, timestamp, body) with a shared secret key. The server recreates the same HMAC using its copy of the secret key and compares it to the received signature. If they match, the request is authenticated and hasn't been tampered with.

What happens if the HMAC secret key is compromised?

If the secret key is compromised, attackers can forge valid HMAC signatures for any message, completely bypassing the authentication. You should immediately rotate (change) the compromised key and invalidate all tokens or signatures created with the old key. Use proper key management practices like secure storage and regular rotation to minimize this risk.

Related Tools

Hash Generator

Generate hash values instantly with our free online tool. Supports MD5, SHA-1, SHA-256, SHA-512, SHA-384, SHA3, RIPEMD-160 algorithms. Calculate hashes for text and files. Fast, secure, and easy to use.

Related Terms

SHA-256

SHA-256 (Secure Hash Algorithm 256-bit) is a cryptographic hash function that produces a 256-bit (32-byte) hash value, typically rendered as a 64-character hexadecimal number. It is part of the SHA-2 family designed by the NSA and is widely used for data integrity verification and digital signatures.

MD5

MD5 (Message-Digest Algorithm 5) is a widely used cryptographic hash function that produces a 128-bit (16-byte) hash value, typically expressed as a 32-character hexadecimal number. It was designed to be used as a checksum to verify data integrity.

JWT

JWT (JSON Web Token) is a compact, URL-safe means of representing claims to be transferred between two parties. The claims in a JWT are encoded as a JSON object that is digitally signed using a cryptographic algorithm.

Encryption

Encryption is the process of converting plaintext data into an unreadable format (ciphertext) using mathematical algorithms and cryptographic keys, ensuring that only authorized parties with the correct decryption key can access the original information.

Related Articles

Hashing Algorithms Comprehensive Guide【2026】- From MD5 to SHA-256

Master hashing algorithms principles and applications. Compare MD5, SHA-1, SHA-256, SHA-3 security. Learn password storage, data integrity verification, blockchain. Complete code examples included!

2024-01-25

MD5 Hash Explained【2026】- Principles, Uses & Security Complete Guide

Understand MD5 hash algorithm principles, use cases, and security limitations. Learn file integrity verification, collision attack principles, secure alternatives. Includes JavaScript/Python/Java code examples!

2024-07-27

Base64 Encoding & Decoding Guide【2026】- Free Online Encoder with Code Examples

Master Base64 encoding and decoding with practical examples in JavaScript, Python, and Java. Free online Base64 encoder tool. Learn data URLs, JWT, HTTP authentication, and best practices.

2024-01-15