← Back

HMAC Authentication

Hash-based Message Authentication Code

HMAC(K, m) = H((K' ⊕ opad) || H((K' ⊕ ipad) || m))

🔑

Secret Key

Shared between sender and receiver

📝

Message

Data to authenticate

🔐

HMAC Tag

Proves authenticity & integrity

Secret Key (shared between parties)

Message

Generated HMAC-SHA256

Click "Generate HMAC" to compute

Verify Message Authenticity

Paste an HMAC to verify the message hasn't been tampered with:

Tampering Demonstration

Try changing the message slightly and see how the HMAC completely changes:

Tampered Message

Why HMAC Matters

HMAC provides both integrity (message hasn't been modified) and authentication (message came from someone with the secret key). Unlike digital signatures, HMAC uses symmetric keys, making it faster and suitable for high-throughput applications.

HMAC is used in JWT tokens, API authentication, cookie signing, and secure protocols like TLS.