Skip to content
Browse Tools
HomeToolsBlogGlossaryAboutContact
Browse All Tools
Security

What is HMAC?

Hash-based Message Authentication Code — a mechanism for verifying message integrity and authenticity using a shared secret key.

HMAC (Hash-based Message Authentication Code) combines a cryptographic hash function with a secret key to produce a message authentication code. Unlike a plain hash, HMAC cannot be forged without knowledge of the secret key.

HMAC is used to verify both data integrity (the message was not altered) and authenticity (it came from someone with the secret key).

How HMAC Works

HMAC(key, message) = Hash((key XOR opad) || Hash((key XOR ipad) || message)). The key is combined with the message before hashing, making the output dependent on both.

Applications

  • API request signing
  • Cookie tampering prevention
  • JWT signature verification (HS256, HS512)
  • Webhook payload verification
FAQ
What is the difference between HMAC and a plain hash?
A plain hash is deterministic and can be reproduced by anyone. HMAC requires the secret key — only parties with the key can produce or verify the signature.
Related Tools
HMAC Generator
Free tool
Hash Generator
Free tool
JWT Builder
Free tool
Related Terms
SHA-256