What Is HMAC?
HMAC is used to provide message integrity and message authentication. In simple terms, it helps a receiver check that a message was not tampered with and was generated by a party that knows the correct secret key.
HMAC stands for Hash-based Message Authentication Code. It is a cryptographic technique that combines a secret key with a hash function to verify that data has not been changed and that it came from someone who knows the shared secret. In practice, HMAC is widely used in API signing, webhooks, tokens, and service-to-service communication where integrity and authenticity matter more than secrecy.
How HMAC works
At a high level, HMAC takes two inputs:
- The message or data
- A shared secret key
It then processes them through a hash function such as SHA-256 to produce a fixed-length output called an HMAC value or digest.
That output acts like a cryptographic proof tied to both the content and the secret key.
Basic flow
A typical HMAC process works like this:
- System A and System B share a secret key.
- System A creates a message.
- System A computes the HMAC for that message using the shared key.
- System A sends both the message and the HMAC value.
- System B receives them and computes its own HMAC over the message using the same shared key.
- If the values match, System B has confidence the message was not altered and was created by someone who knows the secret.
If even one bit of the message changes, the HMAC output changes too. If an attacker does not know the key, they should not be able to generate a valid HMAC for altered data.
Why a plain hash is not enough
A plain hash alone only tells you whether data matches a known value. It does not prove who created it.
For example, if an attacker can modify both the message and the hash that travels with it, a plain hash offers little protection. HMAC fixes that by requiring the secret key to generate a valid authentication code.
That is the key difference:
- Hash only: can detect changes if the hash itself is trusted
- HMAC: verifies integrity and authenticity because the secret key is required
If you want a broader background on hashing before diving deeper into HMAC, see what is hashing.
What HMAC is used for
HMAC is common in systems where one service needs to trust data from another without exposing full credentials every time.
API request signing
Some APIs require clients to sign requests with HMAC. The server verifies the signature before accepting the request. This helps protect request parameters, headers, and payloads from tampering.
Webhooks
Webhook providers often include an HMAC signature with each event they send. The receiving system recalculates the value to confirm the payload is legitimate and unchanged.
Signed cookies and tokens
Some applications use HMAC to detect tampering in cookies, session data, or lightweight tokens. If a user modifies the value, the integrity check fails.
Internal service communication
HMAC is also useful in scripts, automation pipelines, backup workflows, and machine-to-machine messaging where systems need a lightweight way to validate data authenticity.
What HMAC does not do
HMAC is useful, but it is often misunderstood. It does not:
- Encrypt the message
- Keep the content confidential
- Replace proper authorization
- Automatically prevent replay attacks
Anyone who can see the message can still read it unless it is protected by encryption separately.
If your goal is privacy or confidentiality, you need encryption. If your goal is to know the message was not altered and came from a trusted sender, HMAC is appropriate.
For a related concept that focuses on confidentiality rather than integrity, read what is asymmetric encryption.
When you’ll encounter HMAC
You will usually encounter HMAC in application security, API integration, DevOps, and cloud platform work.
In API documentation
Many third-party APIs describe HMAC signing requirements in their authentication docs. This is especially common for financial APIs, cloud services, and webhook receivers.
In secure application design
Developers use HMAC when they need to detect tampering in transmitted or stored data. It often comes up in session protection, request signing, and service authentication patterns.
In troubleshooting integrations
If requests are being rejected even though credentials seem correct, an HMAC validation problem may be the cause. Common issues include mismatched secrets, timestamp problems, canonicalization errors, or incorrect hashing routines.
In incident response
During investigations, failed HMAC checks may help show that data was modified in transit or that a system is trying to send unauthenticated requests.
Practical security considerations
HMAC is strong when used correctly, but the implementation details matter.
Protect the shared secret
If the shared key is exposed, an attacker can generate valid HMAC values. This makes key storage and rotation just as important as the HMAC algorithm itself. For teams storing lots of credentials and API secrets, a password manager like 1Password can help keep administrative secrets out of chats, docs, and unsecured notes.
Use modern hash functions
Modern deployments typically use HMAC with SHA-256 or stronger approved options depending on policy and compatibility.
Defend against replay
A valid HMAC does not stop an attacker from resending the same signed request later. Many systems pair HMAC with:
- Timestamps
- Nonces
- Expiration windows
- Unique request IDs
Compare values safely
Implementations should use constant-time comparison where appropriate so attackers cannot take advantage of timing differences during validation.
HMAC vs related concepts
HMAC vs hash
A hash function transforms data into a fixed-length value. HMAC uses a hash function plus a secret key, which makes forgery much harder.
HMAC vs encryption
Encryption protects confidentiality. HMAC protects integrity and authenticity. They solve different problems and are often used together.
HMAC vs digital signature
A digital signature uses asymmetric cryptography, while HMAC uses a shared secret. HMAC is often simpler and faster for systems that already trust each other with the same key.
Bottom line
HMAC is a practical way to verify that data is authentic and unchanged when two parties share a secret key. It is widely used in APIs, webhooks, tokens, and internal service communication because it adds trust to data without encrypting it. If you need to know whether a message was altered or forged, HMAC is one of the standard tools for the job.