When sending messages through a public network or storages accessible to other users and systems, we need to know whether the message contains the original content or whether it was intercepted and modified by anyone.
That's a typical form of a man-in-the-middle attack and it's something that can modify anything in our content, which is stored in a place that other people can read too, such as an unencrypted network or a disk on a shared system.
The HMAC algorithm can be used to guarantee that a message wasn't altered from its original state and it's frequently used to sign digital documents to ensure their integrity.
A good scenario for HMAC might be a password-reset link; those links usually include a parameter about the user for whom the password should be reset:http://myapp.com/[email protected].
But anyone might replace the user argument and reset other people's passwords. So, we want to ensure that the link we provide wasn't actually modified...