HMAC

Compute an HMAC of a message using a shared key and a chosen hash algorithm.

Monitor this automatically

NetTests can run this check on a schedule, preserve historical results, compare changes over time, and alert you the moment something breaks.

Start monitoring free → See all monitoring products

Frequently Asked Questions

What is HMAC?

HMAC (Hash-based Message Authentication Code) combines a message with a secret key and a hash function to produce an authentication code. Unlike a plain hash, HMAC requires knowing the secret key to verify — so it authenticates both the message content and the sender's identity. The formula is HMAC = H(key ⊕ opad || H(key ⊕ ipad || message)).

How is HMAC different from a plain hash?

A plain hash (SHA-256 of 'hello') is publicly reproducible by anyone — it authenticates nothing. HMAC adds a secret key so only parties who know the key can produce or verify the code. An attacker who sees the message and HMAC cannot forge a valid code for a different message without the key.

What is HMAC used for?

Common uses: signing API requests (AWS Signature v4, Stripe webhooks, GitHub webhook verification), generating CSRF tokens, creating signed cookies, and verifying JWT signatures using the HS256/HS512 algorithm. Any scenario where two parties share a secret and need to verify message integrity is a candidate for HMAC.

Which HMAC algorithm should I choose?

HMAC-SHA-256 is the standard choice — widely supported, secure, and produces a 256-bit (32-byte) MAC. HMAC-SHA-512 is faster on 64-bit systems and provides a larger output. Avoid HMAC-MD5 and HMAC-SHA-1 for new systems — while their HMAC modes are technically stronger than plain MD5/SHA-1, SHA-256 is the current standard.