hmac_hash Function


C hmac_hash(C data ,C key [,C algorithm [,L toHex ]])



Data to sign


Secret key to use for signature


Defaults to "HMACSHA1". Algorithm to use for signing.


Default = .f.. Returns the value as a hex encoded value instead of a base64 encoded value. If .t., returned value is hex encoded. Otherwise, return value is base64 encoded.


Generates a digital signature of the data using the key and HMACSHA1, HMACSHA256, or any other signing method supported by the .NET Framework


Generates a base64 digital signature of the data using the key and HMACSHA1, HMACSHA256, or any other signing method supported by the .NET Framework. This is useful for verifying file uploads and downloads, and for signing e-commerce documents as required by sites such as Amazon.


Interactive session:

?HMAC_HASH("my data", "my key") 'defaults to "HMACSHA1"
= "Wnw05dPAEo44+bw1luJqAWksvhE="
?HMAC_HASH("my data", "my key", "HMACSHA1")
= "Wnw05dPAEo44+bw1luJqAWksvhE="
?HMAC_HASH("my data", "my key", "HMACSHA256")
= "kBhEzgLKNjSjjzQw7s240hvoY62kDG/wHDjYXry++nA="
?HMAC_HASH("my data", "my key", "HMACSHA384")
= "1819IdbuGcIweTIhYBwIK1mOmNrlpgRKK98gnDlVJyXug36wQoDWuBoGlB/GfMqc"

?HMAC_HASH("my data", "1234567890123456", "MACTripleDES") 
= "XV17/zrLgzk="
?HMAC_HASH("my data", "123456789012345678901234", "MACTripleDES") 
= "MvLeC8oR/vw="
?HMAC_HASH("my data", "my key", "hMACmd5") 'not case sensitive
= "6YeAf6EEZBgdF4BqkAQe/w=="
The value returned is in base64, which is what most e-commerce sites want. If you try to compare base64 with an online hash calculator that returns hexadecimal, they will not appear to match. Also, HMAC hashes are encrypted with a key, unlike simple unencrypted hashes such as SHA-1.

Troubleshooting Hash Problems

Given the same key, data, and algorithm, a hash will always return the same value. A service you are calling, or a client calling your service, will return a hash that does not match yours in the following scenarios:

  • The key does not match. Make sure you are using the correct key.
  • The algorithm does not match. Make sure you picked the same algorithm the service your are calling is using.
  • The data does not match. This can occur when data sent over HTTP to a service is being normalized.

    For example, carriage-return/linefeeds (CR-LF) in the data may be converted into linefeeds (LF), or data character encoding may change.

    If the data is being normalized when it is sent, you will need to adjust the data when calculating the hash. For example, if carriage returns are being removed, convert all CR-LF values to chr(10) in the data before creating the hash:

    ' Convert CR-LF (crlf()) to linefeeds (chr(10)):
    data = strtran(data,crlf(),chr(10))
    HMAC_HASH(data, "my key", "HMACSHA1")

    If data is URLENCODED, you may need to urldecode it before calculating the hash:

    ' URL Decode data:
    data = urldecode(data)
    HMAC_HASH(, "my key", "HMACSHA1")

See Also