diff --git a/CHANGELOG.md b/CHANGELOG.md
index 1909b9df0334..4c22a0db4478 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -123,6 +123,8 @@ perform significantly better than any previous version.
   - CORS: Properly return `Access-Control-Allow-Credentials: false` if 
     `Access-Control-Allow-Origin: *`.
     [#2104](https://github.com/Mashape/kong/pull/2104)
+  - HMAC-Auth: Generate a credential secret if none provided.
+    [#2158](https://github.com/Mashape/kong/pull/2158)
 
 ## [0.9.7] - 2016/12/21
 
diff --git a/kong/plugins/hmac-auth/daos.lua b/kong/plugins/hmac-auth/daos.lua
index 3e8c0ad572dc..213df6b92efc 100644
--- a/kong/plugins/hmac-auth/daos.lua
+++ b/kong/plugins/hmac-auth/daos.lua
@@ -1,3 +1,9 @@
+local utils = require "kong.tools.utils"
+
+local function random_secret(t)
+  return utils.random_string()
+end
+
 local SCHEMA = {
   primary_key = {"id"},
   table = "hmacauth_credentials",
@@ -6,7 +12,7 @@ local SCHEMA = {
     created_at = {type = "timestamp", immutable = true, dao_insert_value = true},
     consumer_id = {type = "id", required = true, foreign = "consumers:id"},
     username = {type = "string", required = true, unique = true},
-    secret = {type = "string"}
+    secret = {type = "string", default = random_secret}
   },
   marshall_event = function(self, t)
     return {id = t.id, consumer_id = t.consumer_id, username = t.username}
diff --git a/spec/03-plugins/09-hmac-auth/02-api_spec.lua b/spec/03-plugins/09-hmac-auth/02-api_spec.lua
index fa7546eca744..72532bfabbe2 100644
--- a/spec/03-plugins/09-hmac-auth/02-api_spec.lua
+++ b/spec/03-plugins/09-hmac-auth/02-api_spec.lua
@@ -39,6 +39,20 @@ describe("Plugin: hmac-auth (API)", function()
         credential = cjson.decode(body)
         assert.equal(consumer.id, credential.consumer_id)
       end)
+      it("[SUCCESS] should create a hmac-auth credential with a random secret", function()
+        local res = assert(client:send {
+          method = "POST",
+          path = "/consumers/bob/hmac-auth/",
+          body = {
+            username = "bob",
+          },
+          headers = {["Content-Type"] = "application/json"}
+        })
+
+        local body = assert.res_status(201, res)
+        credential = cjson.decode(body)
+        assert.is.not_nil(credential.secret)
+      end)
       it("[FAILURE] should return proper errors", function()
         local res = assert(client:send {
           method = "POST",