What is HMAC?
A mechanism for verifying both the integrity and authenticity of a message using a cryptographic hash function combined with a secret key.
HMAC (Hash-based Message Authentication Code) proves that a message hasn't been tampered with and was created by someone who knows the secret key.
How It Works
- Combines a hash function (like SHA-256) with a secret key
- The sender generates HMAC(key, message) and sends it alongside the message
- The receiver computes the same HMAC and compares
- If they match, the message is authentic and unmodified
Unlike a Plain Hash
- A regular hash (SHA-256 of a message) can be recomputed by anyone
- HMAC requires the secret key — only authorized parties can create or verify it
Where It's Used
- API authentication (signing requests)
- JWT (JSON Web Token) verification
- TLS record protocol
- Cookie signing in web applications
HMAC is Not Encryption
HMAC verifies integrity and authenticity but does not hide the message content. The message is sent in plaintext alongside the HMAC.
Related Terms
Hash Function
A mathematical function that converts any input data into a fixed-size string of characters (hash). Cryptographic hash functions are one-way, meaning you cannot reverse the process to recover the original data.
SHA-256
A cryptographic hash function that produces a 256-bit (32-byte) hash value. Part of the SHA-2 family, it's widely used for data integrity verification, digital signatures, password hashing, and as the backbone of Bitcoin's proof-of-work.
Symmetric Encryption
An encryption method where the same secret key is used for both encrypting and decrypting data. While fast and efficient, the challenge lies in securely sharing the key between parties.
Have more questions?
Use our guided flow to get the right next privacy step for HMAC.
Open Guided Flow