Storing 4 char prefix for 32bit hex token after storing HMAC digest

Currently I am working on a public api that uses token authentication. The token is a 32 bit random hex that is shared with the user and then stored in our database as an HMAC digest using a secret key. The token is not stored except for the first 4 characters.

My question is, is it safe to store the prefix like this?

My intuition tells me that it is not safe as it gives any attacker the beginning of the correct answer which therefore shortens the process of trying to brute force our secret key. I am wondering what someone with more expertise than I have thinks about this.

Thank you in advance.

In cryptography we do always do all the calculations in bits. A HMAC has the same size as the hash used. Assuming a secure hash function such as SHA-256 you'd have an output of 256 bits, as reflected by the name.

Of this 32 bits are stored in your scheme. Now for a hash and a HMAC, the bits are all dependent on the input, but in principle you cannot tell anything about the unknown bits from the output bits. That means that 224 bits are remaining. An attacker would on average take $2^{223}$ guesses to get to the full HMAC value.

So you don't really have to worry about brute forcing assuming that you are using a secure hash function.