Home/Blockchain/HMAC & Message Authentication/Introduction
Previous Module
Encryption vs Hashing

✉️ Verify Messages Haven't Been Tampered With

Learn how HMAC uses hash functions and secret keys to authenticate messages

Your Progress

0 / 5 completed
1
2
3
4
5

🔐 HMAC Authentication

How do blockchain APIs know a message truly comes from you AND hasn't been tampered with? Welcome to HMAC - the cryptographic guardian of API communications!

🚨 The API Security Problem

When you send a transaction to a blockchain API, two critical questions arise:

Question 1: Authenticity

Did this request actually come from you, or is someone pretending to be you?

Question 2: Integrity

Has the message been altered in transit? Did "Send 1 BTC" become "Send 100 BTC"?

🎮 Compare: Vulnerable vs Secure

🚨 INSECURE: Anyone Can Forge Requests
You send:
POST /api/transfer
{amount: 10, to: "Alice"}
⚠️
Attacker intercepts and modifies:
POST /api/transfer
{amount: 1000, to: "Hacker"}
❌ API accepts the modified request!

The server has no way to verify the message wasn't tampered with.

🤔 What Makes HMAC Special?

🔑
Shared Secret Key

Both you and the server know the secret key. Attackers don't!

🔐
Cryptographic Hash

Combines your message with the secret key using SHA-256 (or similar)

Authenticity Proof

Only someone with the secret key could create this signature

🛡️
Integrity Check

Changing even one character invalidates the entire signature

🌍 Where You've Seen HMAC Before

💱
Crypto Exchange APIs

Binance, Coinbase, Kraken all use HMAC to secure API requests

💰
Payment Gateways

Stripe, PayPal use HMAC for webhook verification

🌐
Web APIs

AWS, Google Cloud, Azure use HMAC-based request signing

🔗
Blockchain Nodes

RPC endpoints often require HMAC authentication

🎯 What You'll Learn

How HMAC combines hashing and secret keys
Step-by-step HMAC signature creation process
Build your own HMAC signatures interactively
Why attackers can't forge HMAC signatures
Implement HMAC authentication in real APIs