← Lessons

quiz vs the machine

Gold1370

Security

HMAC Message Authentication

How a keyed hash proves a message was not altered or forged.

4 min read · core · beat Gold to climb

The Problem a Plain Hash Cannot Solve

A plain hash proves nothing about who produced a message. Anyone can recompute the hash after changing the data. To prove a message came from someone holding a shared secret and was not modified, you need a message authentication code.

How HMAC Works

HMAC combines a cryptographic hash with a secret key in a specific construction. The sender computes a tag over the message using the key, and the receiver recomputes it with the same key. If the tags match, the message is authentic and unmodified.

  • HMAC provides integrity and authenticity but not confidentiality.
  • It relies on a shared secret, so both parties must hold the same key.
  • Compare the received tag using a constant time check to avoid timing leaks.

HMAC is widely used to sign API requests, validate session tokens, and protect webhooks against forgery.

Key idea

HMAC mixes a secret key into a hash to produce a tag that proves a message is authentic and unmodified, so use it whenever you must verify integrity between parties who share a key.

Check yourself

Answer to earn rating on the learn ladder.

1. What does HMAC prove about a message?

2. Why is a plain hash insufficient for authentication?