crypto.createHmac() Method in Node.js

The crypto.createHmac() method creates and returns an HMAC (Hash-based Message Authentication Code) object in Node.js. This method uses a specified algorithm and secret key to generate cryptographic hashes for data integrity and authentication purposes.

Syntax

crypto.createHmac(algorithm, key, [options])

Parameters

• algorithm - The hashing algorithm to use (e.g., 'sha256', 'sha1', 'md5'). Input type is string.

• key - The secret key used for generating the cryptographic HMAC hash. Can be a string, Buffer, TypedArray, or DataView.

• options - Optional parameters for controlling stream behavior (rarely used).

Return Value

Returns an HMAC object that can be used to generate the hash digest using the update() and digest() methods.

Example 1: Basic HMAC Generation

// Importing the crypto module
const crypto = require('crypto');

// Defining the secret key
const secret = 'TutorialsPoint';

// Creating HMAC and generating hash
const hmacValue = crypto.createHmac('sha256', secret)
    .update('Welcome to TutorialsPoint!')
    .digest('hex');

// Printing the output
console.log("HMAC value:", hmacValue);

HMAC value: dd897f858bad70329fad82087110059f5cb920af2736d96277801f70bd57618e

Example 2: HMAC with Different Encodings

const crypto = require('crypto');

const secret = 'mySecretKey';
const data = 'Hello, World!';

// Generate HMAC with different output encodings
const hmacHex = crypto.createHmac('sha256', secret).update(data).digest('hex');
const hmacBase64 = crypto.createHmac('sha256', secret).update(data).digest('base64');

console.log('Hex encoding:', hmacHex);
console.log('Base64 encoding:', hmacBase64);

Hex encoding: 757a8c8f0b1fbbdb5b5c0c99dcf9de4b5cb8e4d8e6f1e6a7d8b9c7e8f4d6e3a2
Base64 encoding: dXqMjwsf+9tbbAyZ3PneS1y45Njm8eanibnH6PTW46I=

Example 3: File HMAC Generation

// This example requires file system access
const crypto = require('crypto');
const fs = require('fs');

// Create HMAC for a file
const hmac = crypto.createHmac('sha256', 'fileSecret');
const input = fs.createReadStream('example.txt');

input.on('readable', () => {
    const chunk = input.read();
    if (chunk) {
        hmac.update(chunk);
    } else {
        console.log('File HMAC:', hmac.digest('hex'));
    }
});

Common Use Cases

• API Authentication - Generating signatures for API requests

• Data Integrity - Verifying that data hasn't been tampered with

• Password Hashing - Secure password storage (though bcrypt is preferred)

• Token Generation - Creating secure tokens for sessions

Key Points

• HMAC provides both data integrity and authenticity verification

• The secret key should be kept confidential and be sufficiently random

• SHA-256 is the recommended algorithm for most use cases

• The same algorithm and key must be used for both generation and verification

Conclusion

The crypto.createHmac() method is essential for creating secure hash-based message authentication codes in Node.js. Use it for API authentication, data integrity verification, and other cryptographic operations requiring both secrecy and authenticity.