HMAC Generator

Compute a keyed hash (HMAC) over your message with SHA-256, SHA-512, or SHA-1. Used for API request signing, webhook verification, and JWT tokens. Runs entirely in your browser.

Algorithm
Output

What is HMAC?

HMAC stands for Hash-based Message Authentication Code. It combines a cryptographic hash function (like SHA-256) with a secret key to produce a fixed-length code that proves two things at once: that a message has not been tampered with, and that it came from someone who holds the shared secret key. A plain hash can only prove the former — anyone can recompute it — so HMAC is what you reach for whenever authenticity matters, not just integrity.

This tool computes HMAC locally using the browser's Web Crypto API. Your message and key are never transmitted or stored.

How to Use This Tool

  1. Paste the message or payload you want to authenticate.
  2. Enter the secret key shared between sender and receiver.
  3. Pick the hash algorithm (SHA-256 is the common default) and the output encoding (hex or Base64).
  4. Click Generate HMAC and copy the result.

Where HMAC is Used

HMAC vs. Plain Hash

If you publish SHA256(message), an attacker who modifies the message can simply publish a new hash to match — the hash alone proves nothing about origin. With HMAC-SHA256(key, message), the attacker cannot forge a valid code without the secret key. Always compare HMACs using a constant-time comparison on the server to avoid timing attacks.

Frequently Asked Questions

HMAC (Hash-based Message Authentication Code) combines a hash function with a secret key. Unlike a plain hash, which only proves a message was not changed, HMAC also proves who sent it, because only parties holding the secret key can produce or verify the same code. It is the standard way to authenticate API requests, sign webhooks, and verify JWT tokens.
Use HMAC-SHA256 unless a specific system requires otherwise — it is the most widely supported and is the default for JWT (HS256), AWS Signature v4, and most webhook providers. HMAC-SHA512 offers a larger output and is used where a higher security margin is desired. HMAC-SHA1 is still considered safe for HMAC use specifically, but new systems should prefer SHA-256.
Yes, for HMAC purposes. The SHA-1 collision attacks (SHAttered) break collision resistance, but HMAC's security relies on a different property and is not affected by those attacks. HMAC-SHA1 is still used in protocols like TOTP and older AWS signatures. That said, for new designs SHA-256 is recommended to avoid relying on a deprecated primitive.
Both encode the same raw bytes of the HMAC. Hex (base16) represents each byte as two characters using 0-9 and a-f, so an HMAC-SHA256 is 64 hex characters. Base64 packs the bytes more compactly using 64 symbols, producing about 44 characters for the same HMAC. Different APIs expect different encodings — for example, GitHub webhooks use hex while some AWS headers use Base64.
No. This tool computes the HMAC entirely in your browser using the Web Crypto API. Your message and secret key never leave your device and are not logged or transmitted anywhere.

Related Tools

Hash Generator

Compute plain SHA-1, SHA-256, and SHA-512 hashes.

JWT Decoder

Decode and inspect JSON Web Tokens, including the HMAC signature.

TOTP Generator

Generate time-based one-time passwords built on HMAC.
Copied to clipboard!