Hash-based message authentication code (hmac)


HMAC or Hash-based message authentication code is a specific type of message authentication code (MAC) involving:

As the private key (secret) is stored on the client side (code, config file), there is a possibility for an agressor to retrieve it via reverse engineering

Concept - Example

HMAC does not encrypt the message. Instead, the message (encrypted or not) is sent alongside the HMAC hash. Parties with the secret key will hash the message again themselves, and if it is authentic, the received and computed hashes will match.

Your client (for instance: mobile app, react app) will need:

  • a public API key that:
    • identifies the client,
    • is send along with the request.
    • is public (everyone can see it).
  • and a private / cryptographic key that:
    • should never be sent along with the request,
    • is known by the client (embedded key in app)
    • is known by the server
    • is used to hash the message that will be sent to the server.



The HMAC can be generated using a SHA1 / MD5 algorithm, a message that should be generated by an algorithm that both server and client know.

Naming (HMAC-MD5 or HMAC-SHAX)

The resulting MAC algorithm is termed HMAC-X, where X is the hash function used (e.g. HMAC-MD5 or HMAC-SHA1).

Documentation / Reference

Powered by ComboStrap