Question 1

What is HMAC?

Accepted Answer

HMAC (Hash-based Message Authentication Code) is a mechanism that combines a cryptographic hash function with a secret key to produce a message authentication code. HMAC verifies both the data integrity and authenticity of a message — only someone with the secret key can produce the correct HMAC.

Question 2

What is the difference between HMAC and a regular hash?

Accepted Answer

A regular hash (SHA-256, MD5) is deterministic and public — anyone can compute the hash. HMAC requires a secret key, making it impossible to verify or forge without the key. HMAC is used for API authentication, JWT signatures, and webhook verification.

Question 3

How does HMAC work?

Accepted Answer

HMAC(key, message) = H((key XOR opad) || H((key XOR ipad) || message)) where H is the hash function, opad and ipad are fixed padding constants. The double-hash construction provides security even if the underlying hash has weaknesses.

Question 4

Which HMAC algorithm should I use?

Accepted Answer

HMAC-SHA256 is the standard choice for new systems — secure, widely supported, and used in AWS Signature Version 4, JWT HS256, and most modern APIs. HMAC-SHA512 provides larger output. HMAC-SHA1 is acceptable for legacy systems but avoid new usage.

Question 5

How is HMAC used in API authentication?

Accepted Answer

APIs use HMAC by: (1) sharing a secret key with the client, (2) requiring the client to compute HMAC(key, request_body + timestamp), (3) including the HMAC in the request header. The server recomputes the HMAC and compares — valid only if keys match. AWS SigV4, Stripe webhooks, and GitHub webhooks all use this pattern.

Question 6

What is HMAC used for?

Accepted Answer

HMAC (Hash-based Message Authentication Code) verifies both message integrity and authenticity. It combines a secret key with a hash function (SHA-256, SHA-512) to produce a signature that only someone with the key can generate. HMAC is used in API authentication (HTTP request signing), JWT signatures (HS256), webhook verification, and SSL/TLS handshakes.

Question 7

How do I verify an HMAC signature?

Accepted Answer

Compute the HMAC of the received message using your shared secret key and the same algorithm (e.g., SHA-256). Compare the computed HMAC with the received signature using a constant-time comparison function to prevent timing attacks. If they match, the message is authentic and unmodified. This tool generates HMACs — use it to test your implementation against known test vectors.

HMAC Generator — Free Online HMAC Hash Generator

Frequently Asked Questions

HMAC: Message Authentication with Cryptographic Keys

Related Tools

HMAC-SHA256

SHA-256

SHA-512

JWT Decoder