—
About HMAC
- HMAC (Hash-based Message Authentication Code) is defined by RFC 2104, used to verify both data integrity and authenticity
- Unlike a plain hash, HMAC requires a shared secret key — without the key, an attacker cannot forge a valid signature
- The output length matches the underlying hash: SHA-1 = 20 bytes, SHA-256 = 32 bytes, SHA-384 = 48, SHA-512 = 64
Common use cases
- API request signing — AWS Signature V4, Alibaba Cloud, Stripe webhooks
- Webhook verification — GitHub, Stripe, Slack send HMAC headers to prove the webhook is genuine
- Session tokens — JWT HS256 is essentially HMAC-SHA256 signing
- TOTP — Google Authenticator uses HMAC-SHA1 internally