Glossary
Message Authentication Code (MAC)
A MAC is a short tag computed from a message and a secret key that proves both integrity and authenticity. HMAC is the most widely used construction.
A Message Authentication Code (MAC) is a short tag derived from a message and a shared secret key. Anyone holding the key can verify that a message is authentic (it came from someone with the key) and intact (it was not modified). Without the key, an attacker cannot forge a valid tag.
A MAC is symmetric: the same secret both produces and verifies tags. That distinguishes it from a digital signature, which uses asymmetric keys so anyone can verify with a public key.
The dominant construction is HMAC, which builds a MAC from an ordinary hash like SHA-256. It is used in TLS, JWT (HS256), API request signing, and as a building block for key derivation functions. Always compare MACs in constant time to avoid timing leaks.
For the mechanics, see HMAC explained, or compute an HMAC in your browser.