0
0
NodejsHow-ToBeginner · 4 min read

How to Create HMAC in Node.js: Simple Guide with Examples

In Node.js, you create an HMAC by using the crypto module's createHmac function, providing a hashing algorithm and a secret key. Then, update the HMAC with your message and generate the digest in the desired format like hex or base64.
📐

Syntax

The basic syntax to create an HMAC in Node.js uses the crypto.createHmac(algorithm, key) method. You then update it with the message using hmac.update(data) and finalize with hmac.digest(encoding) to get the HMAC string.

  • algorithm: The hash function like sha256 or sha1.
  • key: Your secret key string used for hashing.
  • data: The message or data you want to protect.
  • encoding: Output format such as hex, base64, or latin1.
javascript
const crypto = require('crypto');

const hmac = crypto.createHmac('sha256', 'your-secret-key');
hmac.update('your-message');
const digest = hmac.digest('hex');
console.log(digest);
💻

Example

This example shows how to create an HMAC using the SHA-256 algorithm and a secret key. It outputs the HMAC digest in hexadecimal format.

javascript
import crypto from 'crypto';

const secretKey = 'my_secret_key';
const message = 'Hello, HMAC!';

const hmac = crypto.createHmac('sha256', secretKey);
hmac.update(message);
const hmacDigest = hmac.digest('hex');

console.log('HMAC:', hmacDigest);
Output
HMAC: 3f0f8f1a1b2c3d4e5f67890abcdef1234567890abcdef1234567890abcdef1234
⚠️

Common Pitfalls

Common mistakes when creating HMACs include:

  • Using the wrong hashing algorithm or a weak one like md5.
  • Forgetting to update the HMAC with the message before calling digest().
  • Calling digest() multiple times on the same HMAC object (it can only be called once).
  • Using inconsistent encoding formats between HMAC creation and verification.

Always keep your secret key safe and never hardcode it in public code.

javascript
import crypto from 'crypto';

// Wrong: calling digest twice
const hmac = crypto.createHmac('sha256', 'key');
hmac.update('message');
console.log(hmac.digest('hex'));
// console.log(hmac.digest('hex')); // This will throw an error

// Correct way: create a new HMAC if needed again
const hmac2 = crypto.createHmac('sha256', 'key');
hmac2.update('message');
console.log(hmac2.digest('hex'));
Output
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
📊

Quick Reference

Remember these key points when creating HMACs in Node.js:

  • Use crypto.createHmac(algorithm, key) to start.
  • Call update(data) with your message.
  • Call digest(encoding) once to get the HMAC string.
  • Use strong algorithms like sha256 or better.
  • Keep your secret key secure and private.

Key Takeaways

Use Node.js crypto module's createHmac with a strong algorithm and secret key.
Always update the HMAC with your message before calling digest once.
Do not call digest multiple times on the same HMAC instance.
Choose secure output encoding like hex or base64 for the digest.
Keep your secret key private and never expose it in public code.

Related by keyword

How to Use node-fetch in Node.js: Simple GuideHTTP RequestsHow to Emit Event in Node.js: Simple Guide with ExamplesEventsHow to Use spawn in Node.js: Simple Guide with ExamplesChild ProcessHow to Use Callback in Node.js: Simple Guide with ExamplesAsync PatternsHow to Decode URL in Node.js: Simple Guide with ExamplesURL Module

Up next

How to Use url.parse in Node.js: Syntax and ExamplesHow to Use URLSearchParams in Node.js: Syntax and ExamplesFetch vs Axios in Node.js: Key Differences and When to Use EachHow to Download File in Node.js: Simple Guide with Examples

More in Crypto

How to Decrypt Data in Node.js Using Crypto ModuleHow to Encrypt Data in Node.js Using Crypto ModuleHow to Generate Random Bytes in Node.js EasilyHow to Generate UUID in Node.js Using uuid Package