@@ -45,13 +45,14 @@ def decode_data(data):
         return None
 
 
-def get_client_token(secret_key, project_id, user, expired, user_info=None):
+def get_client_token(secret_key, project_id, user, expired, user_info=None, hash_algorithm=None):
     """
     When client from browser connects to Centrifuge he must send his
     user ID, ID of project and optionally user_info JSON string.
     To validate that data we use md5 HMAC to build token.
     """
-    sign = hmac.new(six.b(str(secret_key)))
+    hash_algorithm = hash_algorithm or sha256
+    sign = hmac.new(six.b(str(secret_key)), digestmod=hash_algorithm)
     sign.update(six.b(project_id))
     sign.update(six.b(user))
     sign.update(six.b(expired))
@@ -65,5 +66,5 @@ def check_client_token(token, secret_key, project_id, user, expired, user_info=N
     hash_algorithm = detect_hash_algorithm(token)
     if not hash_algorithm:
         return False
-    client_token = get_client_token(secret_key, project_id, user, expired, user_info)
+    client_token = get_client_token(secret_key, project_id, user, expired, user_info, hash_algorithm=hash_algorithm)
     return token == client_token