What Is HMAC?
HMAC (Hash-based Message Authentication Code) is a mechanism for verifying both the integrity and authenticity of a message. It combines a cryptographic hash function (like SHA-256) with a secret key. Only someone with the key can generate a valid HMAC — and anyone with the key can verify it.
How HMAC Differs from Plain Hashing
A plain hash (SHA-256 of the message) proves integrity but not authenticity — anyone can compute it. HMAC adds a secret key, so only the sender and receiver (who share the key) can create or verify the signature.
Where HMAC Is Used
- Webhook verification — GitHub, Stripe, and Slack sign webhook payloads with HMAC-SHA256
- API authentication — AWS Signature V4 uses HMAC-SHA256
- JWT signing — HS256 tokens use HMAC-SHA256
- Message integrity — verify that data wasn't tampered with in transit
The Process
- Sender creates HMAC:
HMAC-SHA256(secret_key, message) - Sender includes the HMAC signature in the request header
- Receiver computes HMAC with the same key and message
- If signatures match, the message is authentic and unmodified
Generate and Verify HMAC
Use the HMAC Generator on CodeKitLab to create HMAC-SHA256/512 signatures and verify message integrity. Working with webhook payloads? Use the Hash Generator for quick SHA-256 hashes. Need to decode the JWT that was signed? The JWT Decoder shows you every claim inside.
Implementation Tips
- Always use constant-time comparison to prevent timing attacks
- Use at least SHA-256 — avoid MD5 and SHA-1
- Store your secret keys securely — never commit them to git
- Rotate keys periodically and support key versioning
HMAC-signaturer
HMAC kombinerar en hashfunktion med en hemlig nyckel for att verifiera meddelandeintegritet och autenticitet. Generera och verifiera HMAC med HMAC Generator. For vanliga hashar, anvand Hash Generator.
HMAC-Signaturen
HMAC kombiniert eine Hashfunktion mit einem geheimen Schlussel zur Uberprufung von Nachrichtenintegritat und Authentizitat. Generieren und verifizieren Sie HMAC mit dem HMAC Generator. Fur einfache Hashes nutzen Sie den Hash Generator.
Signatures HMAC
HMAC combine une fonction de hachage avec une cle secrete pour verifier l'integrite et l'authenticite des messages. Generez et verifiez HMAC avec le HMAC Generator. Pour les hachages simples, utilisez le Hash Generator.
Firmas HMAC
HMAC combina una funcion hash con una clave secreta para verificar integridad y autenticidad. Genera y verifica HMAC con el HMAC Generator. Para hashes simples, usa el Hash Generator.
توقيعات HMAC
يجمع HMAC بين دالة التجزئة ومفتاح سري للتحقق من سلامة الرسائل ومصداقيتها. أنشئ وتحقق من HMAC باستخدام HMAC Generator. للتجزئات البسيطة، استخدم Hash Generator.
HMAC دستخط
HMAC ہیش فنکشن کو خفیہ کلید کے ساتھ ملا کر پیغام کی سالمیت اور مصداقیت کی تصدیق کرتا ہے۔ HMAC Generator سے HMAC بنائیں اور تصدیق کریں۔ سادہ ہیشز کے لیے Hash Generator استعمال کریں۔
Keep exploring the strongest CodeKitLab content
If this article helped, these related guides and tool pages are the next best places to continue. This keeps the blog focused on high-value paths instead of thin archive browsing.