HMAC Generator (SHA-256 / SHA-512)

Hash vs HMAC: The Key Difference

A plain hash (SHA-256, SHA-512) verifies data integrity but cannot verify the sender's identity. If an attacker intercepts a message and its hash, they can modify the message and recalculate a valid hash — the recipient can't distinguish the original from the tampered version. HMAC (Hash-based Message Authentication Code) solves this by mixing a secret key into the hash computation. Without the secret key, an attacker cannot generate a valid HMAC for a modified message. This makes HMAC suitable for authentication scenarios where both parties share a secret key and need to verify that messages haven't been tampered with.

How HMAC Works

HMAC combines your message with a secret key through two nested hash operations: HMAC(key, message) = Hash((key ⊕ opad) || Hash((key ⊕ ipad) || message)). The inner hash mixes key and message; the outer hash mixes the inner result with the key again. This nested structure prevents length-extension attacks that affect plain hashing. HMAC-SHA256 produces a 256-bit authentication code; HMAC-SHA512 produces 512 bits. The security of HMAC is directly tied to the quality of the secret key — a short or guessable key undermines the entire scheme regardless of the underlying hash algorithm's strength.

API Authentication with HMAC

Many APIs use HMAC to authenticate requests. The pattern: both client and server share a secret key. The client constructs a string to sign (typically including the HTTP method, path, timestamp, and body hash), computes HMAC-SHA256 of that string with the secret key, and includes the hex-encoded result in the Authorization header. The server performs the same computation and compares results — a match proves the request came from someone with the secret key and that the request body wasn't modified. AWS Signature Version 4, Stripe webhook verification, and Shopify webhook validation all use this HMAC pattern.

Webhook Verification

Webhook verification is one of the most common HMAC use cases. When a third-party service sends a webhook to your endpoint, you need to verify it actually came from them and wasn't crafted by an attacker. The service computes HMAC-SHA256 of the request body using a secret key only you and they know, and includes the signature in a header. Your endpoint computes the same HMAC and compares. Always compare HMACs using a constant-time comparison function (like crypto.timingSafeEqual in Node.js) to prevent timing attacks that can leak signature bytes through response time differences.