Glossary

HMAC

Hash-based Message Authentication Codekeyed hash

HMAC is a keyed message authentication code built from a cryptographic hash function.

Definition

HMAC means Hash-based Message Authentication Code. It combines a secret key with a cryptographic hash function to produce a fixed-size authentication tag for a message.

A verifier with the same secret key recalculates the tag over the exact message bytes and compares it with the received tag. A match shows that the message was not changed and that the tag was created by someone who knew the shared key.

How it works

HMAC hashes the key and message in two nested steps with different padding constants. This construction is safer than simply calculating hash(key || message), which can be vulnerable with some hash functions.

The selected hash function determines the tag size: HMAC-SHA256 produces 32 bytes, usually written as 64 hexadecimal characters. HMAC-SHA512 and HMAC-SHA384 produce longer tags, while HMAC-SHA1 mainly remains for compatibility.

Use and limits

HMAC is used for API signatures, webhooks, session data, JWT HS256, and protocol messages where both sides already share a secret. It provides integrity and authentication, not confidentiality: the message itself is not hidden.

Use a random secret key, preserve the exact bytes being signed, and compare tags with a constant-time comparison in application code. For public verification without a shared secret, use a digital signature instead.

Frequently asked questions

No. HMAC authenticates a message but does not hide it. Use encryption separately when the message must be confidential.

A plain hash has no secret key, so anyone can change the message and calculate a new hash. HMAC requires the shared secret to create a valid tag.

No. Verification recalculates the tag from the original message and secret key; it does not recover either value from the tag.

See also
Related tools
Related terms