Computes a hash-based message authentication code (HMAC) using a secret key and your favorite hashing function.
HMAC (Hash-based Message Authentication Code) combines a cryptographic hash function with a secret key to verify data integrity and authenticity.
A regular hash only verifies data integrity. HMAC additionally requires a shared secret key.
In API request signing, the client computes an HMAC of the request parameters plus a timestamp using a shared secret key, then includes it in the request header. The server recomputes the HMAC to verify the request has not been tampered with and originated from a legitimate client. This pattern is used by AWS Signature V4 and many webhook security implementations.
API signing flow: the server and client share a secret key; the client signs the request content (URL + timestamp + body) with HMAC and includes the signature in the request header; the server recomputes HMAC with the same key and compares it to the header — a match means authentication passes. The timestamp prevents replay attacks (usually with a 5-minute window). AWS, Stripe, and GitHub Webhooks all use this approach.