How to Generate and Verify HMAC Signatures in Python, Node.js, and Go
Learn how to generate and verify HMAC signatures in Python, Node.js, and Go. Secure your API with practical examples, code snippets, and a free online HMAC generator.
APIs and webhooks depend heavily on HMAC (Hash-based Message Authentication Code) to ensure that every request you receive is authentic and unaltered.
Without signature verification, your application could be vulnerable to spoofing, data tampering, or replay attacks. For a deeper explanation of how HMAC fits into broader API security architecture, see our companion guide: HMAC API Security: A Complete Developer’s Guide.
In this guide, you’ll learn:
- What an HMAC signature is and how it works
- How to generate and verify HMAC signatures in Python, Node.js, and Go
- Common mistakes developers make and how to fix them
- How to test your HMACs using a free online tool: Authgear’s HMAC Signature Generator & Verifier
What Is an HMAC Signature?
An HMAC (Hash-based Message Authentication Code) is a message authentication code created by combining a cryptographic hash function (like SHA256) with a secret key.
It ensures two critical properties:
- Integrity: The message hasn’t been modified in transit.
- Authenticity: The message came from a trusted source that knows the secret key.
The formula is conceptually simple:
HMAC = hash(secret_key + message)
Both the sender and receiver use the same secret key. If both sides compute the same HMAC value, the message is valid.
Why Use HMAC for APIs?
When APIs accept requests — for example, POST /payment — you need to verify that the request came from a trusted client.
HMAC-based signing ensures that only senders with the correct secret can generate a valid signature.
Typical flow:
- The client computes an HMAC for the request body.
- It sends the request with a header such as
X-Signature: <hmac_value>. - The server recalculates the HMAC and compares the two.
- If they match, the request is trusted and processed.
Many large platforms like Stripe, Shopify, GitHub, AWS, and Slack use HMAC for webhook verification and secure request signing.
How HMAC Works Step by Step
- Combine the secret and message.
- Hash the combination using a cryptographic algorithm (e.g., SHA256).
- Compare both signatures to confirm authenticity.
- Choose the right algorithm:
- HMAC-SHA256 (recommended for most cases)
- HMAC-SHA1 (legacy)
- HMAC-SHA512 (for high-security applications)
Generate and Verify HMAC in Python
Python’s hmac and hashlib libraries make generating HMACs straightforward.
Always use compare_digest() for verification — it prevents timing attacks.You can try generating your own message and signature using Authgear’s free HMAC Signature Generator & Verifier tool.
Generate and Verify HMAC in Node.js
Node’s built-in crypto library provides similar functionality.
The timingSafeEqual function avoids timing-based comparison leaks.
Generate and Verify HMAC in Go
Go’s crypto/hmac package provides a clean interface for HMAC generation and verification.
Real-World Example: Signing API Requests
Here’s an example of how HMAC signatures are used to authenticate API requests.
Client (Sender):
Server (Receiver):
This ensures only authorized senders can submit valid requests.
Common Mistakes and How to Fix Them
| Problem | Likely Cause | Solution |
|---|---|---|
| Invalid HMAC Signature | Encoding mismatch (UTF-8 vs ASCII) | Ensure both client and server use UTF-8 encoding consistently. |
| Mismatched Signatures | Different algorithms used on each side | Verify both are using the same algorithm, such as HMAC-SHA256. |
| Timing Attack Risk | Using == for string comparison |
Always use secure comparison functions like compare_digest() or timingSafeEqual(). |
| Unexpected Output | Inconsistent digest formats (hex vs base64) | Standardize output format with .hexdigest() or .base64encode() consistently. |
Choosing the Right Hash Algorithm
| Algorithm | Security Level | Performance | Recommended Use |
|---|---|---|---|
| SHA-1 | Weak / Legacy | Very fast | Only for backward compatibility with legacy systems. |
| SHA-256 | Strong | Balanced | Recommended default for API signing and webhook verification. |
| SHA-512 | Very strong | Slightly slower | Ideal for high-security or large-payload applications. |
Testing Your HMAC Online
You can instantly generate and verify your HMAC signatures using Authgear’s free online tool: HMAC Signature Generator & Verifier
The tool supports:
- Algorithms: SHA-1, SHA-256, SHA-512
- Generate and Verify modes
- Copy-to-clipboard output
- Real-time hex output
It’s ideal for quickly testing your request signatures or debugging mismatched API keys.
Frequently Asked Questions
What algorithm does HMAC use?
HMAC can use SHA256, SHA1, or SHA512. SHA256 is most commonly used for APIs because it’s secure and widely supported.
Can I use HMAC for API authentication?
Yes. Platforms like Stripe, AWS, and GitHub use HMAC to sign API requests and webhooks.
What’s the difference between HMAC and hashing?
Hashing only ensures data integrity, while HMAC ensures both integrity and authenticity by including a shared secret key.
Is HMAC the same as JWT?
No. JWTs (JSON Web Tokens) can use HMAC algorithms (like HS256), but JWTs also carry payload data for stateless authentication.
What tools can I use to test HMAC online?
Authgear offers a free HMAC Signature Generator & Verifier, plus related tools like a JWK Generator, JWT Decoder, and the complete Authgear Developer Toolkit.