Hash vs HMAC

A hash (SHA-256, MD5) turns any data into a fixed-size fingerprint: useful to verify integrity, but anyone can recompute it. An HMAC is a hash with a secret key: on top of integrity it proves authenticity — that the message was produced by someone who knows the key. The difference is the key.

AspectHashHMAC
Uses a secret keyNoYes
Guarantees integrityYesYes
Guarantees authenticityNoYes
Typical caseChecksum, dedupSign webhooks/APIs
Reproducible without secretYesNo

When to use Hash

Use a plain hash for checksums, file dedup, indexing or comparing content. Never to store passwords as-is (use bcrypt/Argon2 with a salt for that).

When to use HMAC

Use HMAC to sign webhooks, tokens and APIs: the receiver recomputes the HMAC with the shared key and confirms the message was not altered or forged by a third party.

In short: Hash = public integrity. HMAC = integrity + authenticity with a shared secret. If you need to prove "I sent this and it was not tampered with", it is HMAC.

Tools for this