Hash vs HMAC
A hash (SHA-256, MD5) turns any data into a fixed-size fingerprint: useful to verify integrity, but anyone can recompute it. An HMAC is a hash with a secret key: on top of integrity it proves authenticity — that the message was produced by someone who knows the key. The difference is the key.
| Aspect | Hash | HMAC |
|---|---|---|
| Uses a secret key | No | Yes |
| Guarantees integrity | Yes | Yes |
| Guarantees authenticity | No | Yes |
| Typical case | Checksum, dedup | Sign webhooks/APIs |
| Reproducible without secret | Yes | No |
When to use Hash
Use a plain hash for checksums, file dedup, indexing or comparing content. Never to store passwords as-is (use bcrypt/Argon2 with a salt for that).
When to use HMAC
Use HMAC to sign webhooks, tokens and APIs: the receiver recomputes the HMAC with the shared key and confirms the message was not altered or forged by a third party.
In short: Hash = public integrity. HMAC = integrity + authenticity with a shared secret. If you need to prove "I sent this and it was not tampered with", it is HMAC.