HMAC Generator

HMAC (Hash-based Message Authentication Code) is a mechanism for computing a message authentication code using a cryptographic hash function combined with a secret key. It provides both data integrity and authenticity verification.

How it works: HMAC takes a message and a secret key, then processes them through a hash function (like SHA-256) in a specific two-pass construction: HMAC(K, m) = H((K' ⊕ opad) || H((K' ⊕ ipad) || m)).

When to use HMAC:

• API Authentication — Sign API requests to prove identity (e.g., AWS Signature V4, Stripe webhooks)
• Webhook Verification — Verify that incoming webhooks are genuinely from the expected sender
• JWT Signing — HMAC-SHA256 (HS256) is commonly used to sign JSON Web Tokens
• Data Integrity — Ensure messages have not been tampered with during transmission
• Secure Token Generation — Create unforgeable tokens tied to a secret key

Why not just hash? A plain hash (e.g., SHA-256) can verify integrity but not authenticity. Anyone can compute a hash. HMAC requires the secret key, so only parties who know the key can generate or verify the code.