🛠️ Build Your Own HMAC
Create HMAC signatures step-by-step and verify message authenticity
Your Progress
0 / 5 completed🔨 Building HMAC Signatures
Let's build real HMAC signatures like those used by cryptocurrency exchanges! This is exactly how Binance, Coinbase, and others secure their APIs.
🎮 Interactive API Request Signer
Configure your API request below and watch as we generate a secure HMAC signature in real-time!
📤 Complete HTTP Request with HMAC
Here's what the final authenticated request looks like:
🔍 Server Verification Process
When the server receives your request, it:
Uses your API Key to find the corresponding Secret Key in its database
Concatenates timestamp + method + path + body exactly as you did
Generates its own signature using the Secret Key and payload
If server's signature matches yours: ✅ Request accepted!
If different: ❌ Request rejected (tampering detected)
💻 Code Implementation Example
import hmac
import hashlib
import time
# Your credentials
api_secret = "your_secret_key"
timestamp = str(int(time.time() * 1000))
# Build payload
payload = timestamp + "POST" + "/api/v1/order" + '{"symbol":"BTC","amount":1.5}'
# Generate HMAC signature
signature = hmac.new(
api_secret.encode('utf-8'),
payload.encode('utf-8'),
hashlib.sha256
).hexdigest()
# Add to request headers
headers = {
"X-API-Key": "your_api_key",
"X-Timestamp": timestamp,
"X-Signature": signature
}⚡ Pro Tips for Production
Reject requests older than 5 minutes to prevent replay attacks
Add unique nonce to prevent identical request replays
Change API secrets every 90 days for better security
Prevents timing attacks when comparing signatures