HMAC Generator
Generate HMAC (Hash-based Message Authentication Code) with multiple algorithms
HMAC Generator
Compare HMAC
Usage Examples
API Authentication
Generate HMAC signatures for API request authentication, commonly used in REST APIs.
Webhook Verification
Verify webhook payloads by comparing HMAC signatures from services like Stripe or GitHub.
JWT Signing
Create HMAC-SHA256 signatures for JSON Web Token (JWT) payload signing.
Features
Multiple Algorithms
Support for HMAC-SHA256, HMAC-SHA384, HMAC-SHA512, and HMAC-SHA1 algorithms
HMAC Comparison
Compare generated HMAC with an expected value to verify message integrity
Multiple Output Formats
Output in hexadecimal or Base64 encoding for different integration needs
Web Crypto API
Uses the native Web Crypto API for secure, browser-based HMAC generation
How to Use?
Enter Message & Key
Type or paste your message and enter your secret key in the respective fields.
Select Algorithm
Choose your HMAC algorithm (SHA-256, SHA-384, SHA-512, or SHA-1) and output format.
Generate & Copy
Click Generate HMAC and copy the result. Optionally compare with an expected HMAC value.
Frequently Asked Questions
What Is HMAC?
HMAC stands for Hash-based Message Authentication Code. It combines a cryptographic hash function (like SHA-256) with a secret key to produce a signature that proves both the integrity and authenticity of a message. Unlike a plain hash, HMAC ensures that only someone who knows the secret key could have generated the code - which is why it's the backbone of API authentication, webhook verification, and JWT signing.
Where You'll See HMAC in the Wild
If you've integrated with Stripe, GitHub, or AWS, you've used HMAC. Stripe signs webhook payloads with HMAC-SHA256 so you can verify they actually came from Stripe. AWS uses HMAC-SHA256 in Signature Version 4 for API request signing. JWTs with the HS256 algorithm are literally HMAC-SHA256 under the hood. This tool lets you generate and verify these signatures without writing code.
HMAC vs Plain Hashing
A SHA-256 hash of "hello" is always the same regardless of who computed it. An HMAC-SHA256 of "hello" is different for every secret key - so it proves both that the message wasn't tampered with AND that it was created by someone who knows the key. This is the critical difference: hashing gives you integrity, HMAC gives you integrity plus authentication.
Choosing the Right Algorithm
HMAC-SHA256 is the industry default and what you should use unless you have a specific reason not to. HMAC-SHA384 and HMAC-SHA512 produce longer outputs for higher security margins. HMAC-SHA1 is supported for backward compatibility with older systems but shouldn't be used in new implementations. The algorithm choice doesn't affect how HMAC fundamentally works - it just determines the underlying hash function.
Security and Privacy
This tool runs entirely in your browser using the Web Crypto API - the same cryptographic implementation that handles TLS. Your secret key never touches a server. You can verify this by running the tool offline. For production use, always keep your HMAC keys in environment variables or secret management systems, never in client-side code.