An HMAC token is a short string generated with a secret key that signs data (for example, a user ID and document ID) so a server can verify the data wasn’t altered. HMAC stands for Hash-based Message Authentication Code.

What problem does it solve?

When you email a customer a link to view a secure document—like an invoice or statement—you want that link to be tamper-proof and short-lived. An HMAC token lets your system verify that:

  • the link was created by you (it matches your secret key),
  • the data inside (e.g., user and document IDs) wasn’t modified, and
  • the link hasn’t expired.

How it works (high level)

  1. Your server assembles the minimal data needed to open a resource (for example: user_id, doc_id, and expires_at).
  2. It computes an HMAC over that data using a private server-side key.
  3. It sends the user a URL like /doc?u=123&d=456&e=1731300000&sig=....
  4. On click, your server recomputes the HMAC and checks the expiry. If both pass—and the user is authenticated—you serve the document.

Why finance and compliance teams use it

  • Deliverability-friendly: Signed links are smaller and trigger fewer attachment filters than large PDFs.
  • Privacy by design: The full document stays server-side; the inbox holds only a minimal summary + secure link.
  • Revocable access: You can expire all outstanding tokens or a specific one immediately.
  • Audit trails: Each token click can be logged (time, IP/UA where lawful) and correlated with your email stats.

Best practices

  • Short expiry: 15–60 minutes for sensitive documents; longer for low-risk flows.
  • Bind to intent: Include user ID, document ID, a nonce, and expiry in the signed payload.
  • Authenticate user: For statements/invoices, require account login before rendering the file.
  • Rotate secrets: Store HMAC keys securely; rotate on schedule and upon suspicion.
  • Least data in email: Avoid PII in query params and filenames.

Where this fits with Mailpro

Use your app to generate signed links and send via the Mailpro Email API or SMTP. Keep logs in your system and correlate with Mailpro stats for complete audit trails. For jurisdictional clarity, host data in Switzerland and review our GDPR information and Legal Documents (DPA).

Example uses

  • Invoices & statements: Email contains invoice #, amount, due date, and a signed, expiring link to view/download.
  • Password resets / identity confirmation: Short-lived links that expire after first use.
  • One-click secure actions: Confirm bank details, approve an estimate, etc., after authentication.

Security reminders

  • Always serve documents over HTTPS and enforce modern TLS for email transport.
  • Validate tokens server-side only; never expose your secret key in front-end code.
  • Throttle verification attempts and alert on anomalies.

Previous Article

Email Marketing Software & Email Automation

Open a Mailpro™ account and enjoy 500 free credits
Try for free

This site uses Cookies, by continuing your navigation, you accept the deposit of third-party cookies intended to offer you videos,
sharing buttons, but also understand and save your preferences. Understand how we use cookies and why: More information