HMAC Generator: Message Authentication
Generate HMACs with SHA-256, SHA-512, or SHA-1 — for API request signing and data integrity verification.
Published:
Tags: HMAC generator, HMAC-SHA256 online, message authentication code
HMAC Generator: Message Authentication HMAC (Hash-based Message Authentication Code) is the cryptographic primitive behind API request signing, webhook verification, JWT tokens, and TLS. It provides both message integrity (the data wasn't altered) and authenticity (the data came from someone with the key) — two properties a plain hash cannot give you. --- HMAC vs Hash: The Core Difference A regular hash like SHA-256 is deterministic and keyless: anyone who knows the input can compute the output. An attacker who intercepts a message and its SHA-256 hash can replace both with a different message and a new hash — the recipient has no way to detect the substitution. HMAC requires a secret key: Where is the key padded to the block size, is the hash function, is and is . The double-hash…
Frequently Asked Questions
What is HMAC?
HMAC (Hash-based Message Authentication Code) is a mechanism for verifying both the integrity and authenticity of a message. It combines a secret key with a cryptographic hash function (typically SHA-256) to produce a fixed-length authentication tag. If the tag matches, the message has not been altered and came from someone who knows the key.
How do I generate an HMAC-SHA256?
In Python: `hmac.new(key.encode(), message.encode(), hashlib.sha256).hexdigest()`. In Node.js: `crypto.createHmac('sha256', key).update(message).digest('hex')`. In the browser: use the Web Crypto API — `crypto.subtle.sign('HMAC', key, data)`. Always use a cryptographically random key of at least 32 bytes.
What is HMAC used for?
HMAC is used for API request signing (AWS Signature v4, Stripe webhooks, GitHub webhooks), JWT token authentication (HS256 is HMAC-SHA256), cookie integrity checking, file integrity verification, and as a building block in protocols like TLS. Any scenario requiring message authentication without encryption is a HMAC use case.
How is HMAC different from a hash?
A regular hash (SHA-256) is a one-way function — anyone can compute it from the input. HMAC requires a secret key to compute and verify. This means an attacker who can modify a message cannot forge a valid HMAC without knowing the key. A plain hash provides integrity only if the hash itself is protected; HMAC provides integrity even if both the message and HMAC are intercepted.
How do I verify an HMAC?
Recompute the HMAC over the received message with the shared key, then compare the computed value against the received value using a constant-time comparison. In Python, use `hmac.compare_digest()`. In Node.js, use `crypto.timingSafeEqual()`. Never use `===` or string comparison — this leaks timing information that attackers can exploit.
All articles · theproductguy.in