Understanding HMAC
A signature, with a shared secret.
The standard way to prove a message hasn't been tampered with — and that the sender knew the key.
What HMAC is.
HMAC stands for Hash-based Message Authentication Code. Hand it a message and a secret key, and it returns a fixed-length tag. Any party that holds the same key can recompute the tag and check it matches. Anyone without the key can read the message, but cannot forge a tag that will verify — and changing a single byte of the message produces a wildly different tag.
HMAC(key, message) ⇒ tag
Why not just hash the message?
A plain hash gives integrity — you can tell the message changed — but it doesn't give authenticity. Anyone can recompute the hash. HMAC mixes a secret key into the hash in a careful way (two passes, with two different paddings of the key) so only parties holding the key can produce a tag that verifies. The construction is provably secure as long as the underlying hash is, and it's the building block behind nearly every webhook signature scheme on the web.
HS256 in JWTs.
When a JWT's header says alg: HS256, the signature is exactly an HMAC-SHA256 over header.payload using the shared key. The same key signs and verifies — which is why HS256 is fine for one server talking to itself but the wrong choice for distributing a token to clients you don't trust. For that, asymmetric algorithms like RS256 give you a private signing key and a public verifying key.
Webhook signatures.
Stripe, GitHub, Slack and almost every modern API ship webhooks with an HMAC signature header. The recipe is the same: the provider HMACs the request body (often plus a timestamp) with a secret only you and they know, and ships the tag in a header. You recompute the tag on receipt and refuse the request if it doesn't match. That single step closes a long list of attacks: replay, modification, spoofing, time-shifted requests.
Constant-time comparison.
When you check the incoming tag against your computed one, don't use ordinary string equality. A naive comparison stops at the first byte that differs, which leaks timing information an attacker can use to slowly forge a valid tag byte by byte. Use crypto.timingSafeEqual in Node, hmac.compare_digest in Python, or the equivalent in your stack — they always look at every byte before returning.
Pick your hash.
HMAC works with any cryptographic hash; the four common choices are SHA-1, SHA-256, SHA-384 and SHA-512. SHA-256 is the modern default. SHA-1 is still acceptable for HMAC (the underlying collisions don't translate into HMAC forgeries) but choosing it for new work is hard to defend. SHA-512 is faster on 64-bit hardware. The output length is the hash's natural length — 32 bytes for SHA-256, 64 for SHA-512.
Read next