Python HMAC Authentication — ELI5

Imagine you’re passing notes in class. You write a message and fold it up. But how does your friend know nobody changed the words before it reached them?

You could agree on a secret code beforehand — say, you always write the first letter of every word at the bottom of the note. Your friend checks those letters against the message. If they match, the note is untouched. If they don’t, someone messed with it.

HMAC (Hash-based Message Authentication Code) works exactly like this, but with math instead of first letters. You and the other side share a secret key that nobody else knows. When you send a message, you mix the message and the secret key together through a special blender to produce a short code — the HMAC. You attach that code to the message.

The receiver takes the same message, mixes it with the same secret key, and checks whether they get the same code. If yes, two things are guaranteed: the message hasn’t been changed, and it came from someone who knows the secret key.

This is different from a regular fingerprint (hash). A plain hash can be recalculated by anyone — no secret needed. An HMAC requires the key, so only authorized parties can create or verify one.

Python’s hmac module handles all of this in a few lines. Webhook providers like GitHub, Stripe, and Slack use HMAC to sign every notification they send to your server, so you can be sure the data is genuine before you act on it.

The one thing to remember: HMAC is a tamper seal that only works if you know the secret — it proves both who sent the message and that nothing was changed.