HMAC (Hash-based Message Authentication Code) is a cryptographic technique that uses a secret key and a hash function to verify both the authenticity and integrity of a message.Combine secret key with message
Apply hash function (e.g., SHA-256)
Result is the HMAC signature
Recipient recalculates and compares Property Description Authenticity Only holder of secret can create valid signature Integrity Any change to message invalidates signature Non-repudiation Sender cannot deny creating the message Algorithm Output Size Security HMAC-SHA256 256 bits Recommended HMAC-SHA384 384 bits Higher security HMAC-SHA512 512 bits Maximum security Use timing-safe comparison: Prevent timing attacks
Include timestamp: Prevent replay attacks
Keep secrets secure: Never expose in client code
Rotate secrets: Change periodically API Authentication
Webhooks
Crypto Payment Gateway Webhook Security Guide
API Authentication Guide
How HMAC Works
HMAC = Hash(secret_key + message)
HMAC in API Authentication
For each API request:
const signature = HMAC_SHA256(
api_secret,
timestamp + "." + method + "." + path + "." + body
);
Headers sent:
X-Signature: The HMAC signatureX-Timestamp: Unix timestampX-API-Key: Your API keySecurity Properties
|----------|-------------|
Common HMAC Algorithms
|-----------|-------------|----------|
Verification Example
const crypto = require('crypto');function verify(message, signature, secret) {
const expected = crypto
.createHmac('sha256', secret)
.update(message)
.digest('hex');
return crypto.timingSafeEqual(
Buffer.from(signature),
Buffer.from(expected)
);
}