Need to authenticate messages or verify webhook signatures? This guide covers everything you need to know about generating HMAC signatures programmatically via API, including algorithm choices, use cases, and implementation examples in multiple languages.
What is HMAC?
HMAC (Hash-based Message Authentication Code) is a cryptographic construction that combines a secret key with a hash function to produce a signature. It provides both data integrity and authenticity verification.
For example, signing the message "Hello World" with key "secret" using HMAC-SHA256 produces: 734cc62f32841568f45715aeb9f4d7891324e6d948e4c6c60c0621cdac48623a
HMAC Algorithms
Different hash functions can be used with HMAC:
HMAC-SHA256 (Recommended)
The industry standard for most applications. Provides 256-bit security and is used by AWS, Stripe, GitHub, and most modern APIs.
HMAC-SHA512
Higher security variant with 512-bit output. Use when maximum security is required or when performance isn't critical.
HMAC-SHA1
Legacy algorithm still used by some services. Secure for HMAC purposes but SHA256 is preferred for new implementations.
Using the HMAC API
TinyFn provides a simple endpoint to generate HMAC signatures:
POST https://api.tinyfn.io/v1/crypto/hmac
Headers: X-API-Key: your-api-key
Content-Type: application/json
{
"message": "Hello World",
"key": "your-secret-key",
"algorithm": "sha256"
}{
"signature": "734cc62f32841568f45715aeb9f4d7891324e6d948e4c6c60c0621cdac48623a",
"algorithm": "sha256",
"encoding": "hex"
}Parameters
| Parameter | Type | Description |
|---|---|---|
message |
string | The message to sign |
key |
string | The secret key for signing |
algorithm |
string | Hash algorithm: sha256, sha512, sha1, md5 (default: sha256) |
encoding |
string | Output encoding: hex, base64 (default: hex) |
Code Examples
JavaScript / Node.js
const response = await fetch(
'https://api.tinyfn.io/v1/crypto/hmac',
{
method: 'POST',
headers: {
'X-API-Key': 'your-api-key',
'Content-Type': 'application/json'
},
body: JSON.stringify({
message: 'webhook-payload-here',
key: 'webhook-secret',
algorithm: 'sha256'
})
}
);
const { signature } = await response.json();
console.log(signature);
// 734cc62f32841568f45715aeb9f4d7891324e6d948e4c6c60c0621cdac48623aPython
import requests
response = requests.post(
'https://api.tinyfn.io/v1/crypto/hmac',
json={
'message': 'webhook-payload-here',
'key': 'webhook-secret',
'algorithm': 'sha256'
},
headers={'X-API-Key': 'your-api-key'}
)
signature = response.json()['signature']
print(signature)
# 734cc62f32841568f45715aeb9f4d7891324e6d948e4c6c60c0621cdac48623acURL
curl -X POST "https://api.tinyfn.io/v1/crypto/hmac" \
-H "X-API-Key: your-api-key" \
-H "Content-Type: application/json" \
-d '{
"message": "webhook-payload-here",
"key": "webhook-secret",
"algorithm": "sha256"
}'Common Use Cases
- Webhook Verification: Verify incoming webhooks from services like Stripe, GitHub, Shopify
- API Request Signing: Sign API requests for services like AWS
- Token Generation: Create secure, verifiable tokens
- Data Integrity: Ensure data hasn't been tampered with in transit
- Session Cookies: Sign session data to prevent manipulation
Best Practices
- Use constant-time comparison: Prevent timing attacks when comparing signatures
- Keep keys secret: Never expose HMAC keys in client-side code
- Rotate keys regularly: Update signing keys periodically
- Include timestamps: Prevent replay attacks by including timestamp in signed messages
Use via MCP
Your AI agent can call this tool directly via Model Context Protocol — no HTTP code needed. Add TinyFn to Claude Desktop, Cursor, or any MCP client:
{
"mcpServers": {
"tinyfn-crypto": {
"url": "https://api.tinyfn.io/mcp/crypto/",
"headers": {
"X-API-Key": "your-api-key"
}
}
}
}See all cryptography tools available via MCP in our Cryptography MCP Tools for AI Agents guide.
Try the HMAC API
Get your free API key and start generating HMAC signatures in seconds.
Get Free API Key