search

HMAC Signature

HMAC (Hash-based Message Authentication Code) is a technique used to verify both the integrity (ensuring data isn’t altered) and authenticity (ensuring data comes from a trusted source) of messages.

In cryptography, a message authentication code (MAC), sometimes known as an authentication tag, is a short piece of information used for authenticating and integrity-checking a message. In other words, it is used to confirm that the message came from the stated sender (its authenticity) and has not been changed (its integrity). The MAC value allows verifiers (who also possess a secret key) to detect any changes to the message content.

Any cryptographic hash function may be used in the calculation of an HMAC. The resulting MAC algorithm is termed HMAC-x, where x is the hash function used (e.g. HMAC-SHA256 or HMAC-SHA3-512). The cryptographic strength of the HMAC depends upon the cryptographic strength of the underlying hash function, the size of its hash output, and the size and quality of the key.

hashtag
Example

Image we have a service that handle real money transactions, transferring money from one account to another. We need to make sure that the request is comes from trusted source and not being tampered or modified. We can use HMAC to do it because it offer both authenticating and integrity checks.

Our service are accepting this structure of payload message in JSON format.

{
    "user_id": "12345",
    "amount": 1000,
    "currency": "USD",
    "dest_account_number": "0027831990",
    "timestamp": "2025-03-12T13:49:35.800635+07:00"
}

Generate a key for the encryption and store it safely. In real-world scenario it's recommended that we create different secret for each user to make sure the authenticity of the request.

Below if how you can create a HMAC signature with SHA-256 in Golang. Replace the key with your generated key and message with your JSON payload.

func main() {
    key := []byte("super-ultra-sercret-key")
    message := `{
    "user_id": "12345",
    "amount": 1000,
    "currency": "USD",
    "dest_account_number": "0027831990",
    "timestamp": "2025-03-12T13:49:35.800635+07:00"
}`

    h := hmac.New(sha256.New, key)
    h.Write([]byte(message))
    hash := base64.StdEncoding.EncodeToString(h.Sum(nil))
    fmt.Println("Signature:", hash)
}

This signature usually placed in the request header. And to verify the HMAC signature is simple. We just need to generate the signature again with request payload that we got in the backend service and match it with signature that we got in the request header.

hashtag
References

PreviousGraphQL: Query CachingNextIdempotency

Last updated