HMAC Generator

Generate HMAC signatures using SHA-256, SHA-512, or MD5 with custom secret keys for message authentication.

Message

Secret Key

Algorithm

Uppercase

About HMAC

HMAC (Hash-based Message Authentication Code) uses a secret key combined with a hash function to produce a message authentication code. It verifies both the data integrity and authenticity of a message. All computation is performed in your browser using the Web Crypto API - no data is sent to any server.

1. Enter the message you want to sign in the message input field. 2. Type your secret key into the key input field. 3. Select the hash algorithm: SHA-256, SHA-512, or MD5. 4. The HMAC signature is generated instantly and displayed in hex format. 5. Copy the HMAC output to use in API authentication or data integrity verification.

About This Tool

HMAC (Hash-based Message Authentication Code) combines a cryptographic hash function with a secret key to produce a signature that verifies both the integrity and authenticity of a message. The HMAC Generator lets you create HMAC signatures using SHA-256, SHA-512, or MD5 with any secret key you provide.

HMAC is widely used in API authentication, webhook verification, JWT signing, and secure communication protocols. When a server sends you a webhook with an HMAC signature, you can use this tool to independently compute the expected signature and verify it matches. Unlike a plain hash, HMAC requires knowledge of the secret key, so an attacker cannot forge a valid signature without it.

All computation happens entirely in your browser using the Web Crypto API. Your message text and secret key are never sent to any server. The tool outputs the HMAC in hexadecimal format by default, with options for Base64 encoding. This makes it straightforward to compare against signatures from services like Stripe, GitHub, Shopify, and other platforms that use HMAC for webhook verification.

Frequently Asked Questions

A regular hash only requires the input message, so anyone can compute it. HMAC requires both the message and a secret key, ensuring that only parties who know the key can generate or verify the signature. This provides authentication in addition to integrity checking.

HMAC-SHA-256 is the most commonly used and recommended for most applications. HMAC-SHA-512 provides a longer signature and is slightly more secure. Avoid HMAC-MD5 for new projects, though it remains acceptable for compatibility with legacy systems.

Paste the webhook payload as the message input and enter the shared secret key provided by the service. Select the same hash algorithm the service uses (usually SHA-256). Compare the generated HMAC with the signature in the webhook header.

Yes. All HMAC computation runs entirely in your browser using the Web Crypto API. Your secret key and message are never transmitted to any server or stored anywhere.

Yes. The tool provides output in both hexadecimal and Base64 formats. Some services like AWS use Base64-encoded HMAC signatures, while others like GitHub use hexadecimal. Choose the format that matches your use case.

Related Tools

Hash Generator

Generate MD5, SHA-1, SHA-256, and SHA-512 hashes from any text input instantly in your browser.

Security and Encryption

Bcrypt Hash Generator and Verifier

Generate bcrypt hashes with configurable rounds and verify passwords against existing bcrypt hashes.

Security and Encryption

Text Encryption and Decryption

Encrypt and decrypt text using AES-256 encryption entirely in your browser. No data sent to servers.

Security and Encryption

JWT Decoder

Decode JSON Web Tokens to inspect header, payload, and signature without needing the secret key.

Developer Tools

Base64 Encode and Decode

Encode text or images to Base64 and decode Base64 strings back to their original format.

Developer Tools