Hash-based message authentication code (hmac)


HMAC or Hash-based message authentication code is a specific type of message authentication code (MAC) involving:

As the private key (secret) is stored on the client side (code, config file), there is a possibility for an agressor to retrieve it via reverse engineering

Concept - Example

HMAC does not encrypt the message. Instead, the message (encrypted or not) is sent alongside the HMAC hash. Parties with the secret key will hash the message again themselves, and if it is authentic, the received and computed hashes will match.

Your client (for instance: mobile app, react app) will need:

  • a public API key that:
    • identifies the client,
    • is send along with the request.
    • is public (everyone can see it).
  • and a private / cryptographic key that:
    • should never be sent along with the request,
    • is known by the client (embedded key in app)
    • is known by the server
    • is used to hash the message that will be sent to the server.



The HMAC can be generated using a SHA1 / MD5 algorithm, a message that should be generated by an algorithm that both server and client know.

Naming (HMAC-MD5 or HMAC-SHAX)

The resulting MAC algorithm is termed HMAC-X, where X is the hash function used (e.g. HMAC-MD5 or HMAC-SHA1).

Documentation / Reference

Discover More
Jwt Auth Flow
Authentication - Jwt (Json web token)

json web token is a token. It's also known as jot. When a JWT is signed, it becomes a JWS and can be used for sender authentication and authorization. The main purpose of JWTs is to transfer (ie identity...
Consistent Hashing
Cryptography - Hash

A hash function is an encryption crypto algorithm that takes as data as input (possibly large and of variable-sized) and produces a short fixed-length integer value (generally printed as an hexadecimal...
Data System Architecture
How to protect numerical Id ? (obfuscate, id encryption)

This page is how to obfuscate / protect a internal id. So that even if they are public, they cannot be guessed. This is mostly used to prevent guessing your data. For instance, you can estimate...
Kerberos - Encryption type

encryption in Kerberos Encryption is used for both the ticket-granting-ticket and session tickets. There are three components: the client, the KDC, and the server. Each one may support a...

Share this page:
Follow us:
Task Runner