--- title: digest.hmac_sha512_base64 summary: null url: >- https://www.fastly.com/documentation/reference/vcl/functions/cryptographic/digest-hmac-sha512-base64 --- ``` STRING digest.hmac_sha512_base64(STRING key, STRING input) ``` **Available in:** all subroutines Returns the HMAC-SHA512 of `message` using `key`, encoded as a Base64 string. ## Parameters | Parameter | Type | Description | | --------- | ------ | ----------------------------------- | | `key` | STRING | The secret key for HMAC computation | | `message` | STRING | The message to authenticate | The `key` is used directly as the HMAC key. For keys longer than 128 bytes (the SHA-512 block size), the key is first hashed with SHA-512 before use, as specified in RFC 2104. ## Return value Returns an 88-character Base64-encoded string representing the 512-bit (64-byte) HMAC, using standard Base64 encoding (RFC 4648 Section 4) with padding. Example output: `W2om8pD7KNUtn4cwT0xG3yJj7J0BmHRElW+WAwO5prI+1CWke2N6mWCf+dofrhAPyrPMJ5uY+tCtdAnmnnQlOw==` If `key` is empty or not set, the function returns an empty string (not set). ## Base64 encoding This function uses standard Base64 encoding as defined in RFC 4648 Section 4: | Property | Value | | -------- | ----------------- | | Alphabet | `A-Za-z0-9+/` | | Padding | `=` (always used) | ## Examples ### Basic usage ```vcl declare local var.hmac STRING; set var.hmac = digest.hmac_sha512_base64("secret-key", "hello world"); # Result: W2om8pD7KNUtn4cwT0xG3yJj7J0BmHRElW+WAwO5prI+1CWke2N6mWCf+dofrhAPyrPMJ5uY+tCtdAnmnnQlOw== ``` To verify this output using OpenSSL: ```term $ echo -n "hello world" | openssl dgst -sha512 -hmac "secret-key" -binary | openssl base64 W2om8pD7KNUtn4cwT0xG3yJj7J0BmHRElW+WAwO5prI+1CWke2N6mWCf+dofrhAPyrPMJ5uY+tCtdAnmnnQlOw== ``` ### RFC 4231 test vector ```vcl declare local var.hmac STRING; set var.hmac = digest.hmac_sha512_base64("key", "The quick brown fox jumps over the lazy dog"); # Result: tCrwkFe6weLUFwjkipAuCbX/fxKrQopP6GZTxz3SSPuC+UilSfe3kaW0GRXuTR7Dk1NX5OIxclDQNyr6Lr7rOg== ``` ### API authentication with Base64 signature ```vcl sub vcl_recv { declare local var.string_to_sign STRING; declare local var.signature STRING; declare local var.api_secret STRING; set var.api_secret = table.lookup(api_keys, "secure-service"); if (var.api_secret == "") { error 500 "API secret not configured"; } set var.string_to_sign = req.http.Date + "\n" + req.method + "\n" + req.url.path; set var.signature = digest.hmac_sha512_base64(var.api_secret, var.string_to_sign); set req.http.X-Auth-Signature = var.signature; } ``` ## Comparison with hex output | Function | Output Length | Example Output (truncated) | | ----------------------------- | ------------- | --------------------------------------- | | `digest.hmac_sha512()` | 130 chars | `0x5b6a26f290fb28d52d9f87304f4c46df...` | | `digest.hmac_sha512_base64()` | 88 chars | `W2om8pD7KNUtn4cwT0xG3yJj7J0BmHRE...` | Base64 encoding is more compact than hex (88 characters vs 130). ## Security considerations ### Constant-time comparison When comparing HMAC values for authentication, always use `digest.secure_is_equal()` to prevent timing attacks. String comparison with `==` leaks information about which bytes matched, potentially allowing an attacker to forge valid authentication tags: ```vcl if (!digest.secure_is_equal(var.expected, var.actual)) { error 401 "Invalid signature"; } ``` ### Validate keys before use Always verify that key lookups succeed before computing an HMAC: ```vcl declare local var.key STRING; set var.key = table.lookup(secrets, "api-key"); if (var.key == "") { error 500 "API key not found"; } ``` ## Related content - `digest.hmac_sha512()` - Returns hex-encoded output with `0x` prefix. - `digest.hmac_sha256_base64()` - HMAC-SHA256 with Base64 output. - `digest.secure_is_equal()` - Constant-time string comparison.