ediverse Explore the platform

Spotlight PEPPOL BIS Billing 3.0 The EU e-invoicing mandate is here — France Sept 2026, Belgium Jan 2026, Germany 2025.

HMAC

Hash-based Message Authentication Code. RFC 2104 defines how to build a MAC from a hash function and a shared secret.

Definition

HMAC (Hash-based Message Authentication Code) is an algorithm defined in RFC 2104 (1997) that combines a secret key and a cryptographic hash function (SHA-256, SHA-3, etc.) to produce a message authentication code. HMAC guarantees both integrity and authentication of a message: only a party that shares the key can produce or verify the HMAC.

Origin

HMAC was published in 1996 by Mihir Bellare, Ran Canetti and Hugo Krawczyk, and standardised by IETF in RFC 2104 in February 1997, then in FIPS PUB 198-1 (2008) by NIST. It has become the reference symmetric primitive for signing API requests (AWS Signature, OAuth 1.0, JWT HS256, webhooks), but also in EDI layers such as signed SBDH or payment notifications.

Example in context

X-HMAC-Signature: sha256=9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08

When an e-invoicing platform receives a webhook notifying that an invoice was rejected by PEPPOL, it verifies this HMAC header against the shared key with its Access Point. If the value does not match, the webhook is rejected with no processing. This practice prevents notification spoofing without imposing PKI complexity.

  • CMS — asymmetric signature format, complementary to symmetric HMAC.
  • MDN — the AS2 acknowledgement whose MIC primitive plays a similar role.
  • TLS 1.3 — TLS uses internal HMACs for key derivation (HKDF).

Last updated: May 14, 2026