ESC

HMAC Generator

HMAC output will appear here...

Compare HMAC

All processing happens in your browser using the Web Crypto API. No data is sent to any server.

Usage Examples

API Authentication

Generate HMAC signatures for API request authentication, commonly used in REST APIs.

Webhook Verification

Verify webhook payloads by comparing HMAC signatures from services like Stripe or GitHub.

JWT Signing

Create HMAC-SHA256 signatures for JSON Web Token (JWT) payload signing.

Features

Multiple Algorithms

Support for HMAC-SHA256, HMAC-SHA384, HMAC-SHA512, and HMAC-SHA1 algorithms

HMAC Comparison

Compare generated HMAC with an expected value to verify message integrity

Multiple Output Formats

Output in hexadecimal or Base64 encoding for different integration needs

Web Crypto API

Uses the native Web Crypto API for secure, browser-based HMAC generation

How to Use?

1

Enter Message & Key

Type or paste your message and enter your secret key in the respective fields.

2

Select Algorithm

Choose your HMAC algorithm (SHA-256, SHA-384, SHA-512, or SHA-1) and output format.

3

Generate & Copy

Click Generate HMAC and copy the result. Optionally compare with an expected HMAC value.

Frequently Asked Questions

HMAC (Hash-based Message Authentication Code) combines a cryptographic hash function with a secret key to produce a signature. It proves both integrity (the message was not changed) and authenticity (the sender knows the secret key). Without the key, no one can forge a valid HMAC — making it far stronger than a plain hash for authentication purposes.

A SHA-256 hash of "hello" is always the same: anyone can compute it. An HMAC-SHA256 of "hello" produces a different result for every secret key. Plain hashing gives you integrity (detect tampering). HMAC gives you integrity plus authentication (prove who signed it). This is why APIs use HMAC for request signing, not plain SHA-256.

HMAC-SHA256 is the industry default and what most services use: AWS Signature Version 4, Stripe webhooks, GitHub webhooks, Shopify webhooks. HMAC-SHA512 provides extra security margin and is faster than SHA-256 on 64-bit hardware. HMAC-SHA384 is rarely needed. Avoid HMAC-SHA1 for new projects — use it only when integrating with legacy systems that require it.

Both represent the same HMAC value in different encodings. Hex (hexadecimal) produces 64 characters for HMAC-SHA256 — easier to read and compare manually. Base64 produces 44 characters — more compact, commonly used in HTTP Authorization headers, JWT signatures, and API request headers. Check which format your target service expects before generating.

When you receive a webhook from Stripe, the payload comes with an X-Stripe-Signature header containing an HMAC-SHA256 of the raw body, signed with your endpoint's secret key. To verify: compute HMAC-SHA256 of the raw request body using your secret, then compare to the header value. If they match, the webhook is genuine. GitHub uses X-Hub-Signature-256 the same way. This tool lets you compute and verify these signatures without writing code.

For HMAC-SHA256, the recommended key length is at least 32 bytes (256 bits) — matching the hash output size. Shorter keys reduce security; longer keys are fine. Never use human-memorable strings as keys — they are too predictable. Generate keys with a cryptographically secure RNG and store them in environment variables or a secrets manager, never in source code.

Generate an HMAC, then paste an expected HMAC value into the Compare field. The tool compares the two values and reports whether they match. This is useful for verifying webhook signatures: compute the expected HMAC from the received payload and your key, then compare to the signature in the request header. A match confirms the webhook is authentic.

Never. All HMAC generation uses the Web Crypto API (window.crypto.subtle.sign), which runs entirely in your browser. Your key, message, and HMAC output are never transmitted to any server. You can disconnect from the internet and the tool works identically.

What Is HMAC?

HMAC stands for Hash-based Message Authentication Code. It combines a cryptographic hash function (like SHA-256) with a secret key to produce a signature that proves both the integrity and authenticity of a message. Unlike a plain hash, HMAC ensures that only someone who knows the secret key could have generated the code - which is why it's the backbone of API authentication, webhook verification, and JWT signing.

Where You'll See HMAC in the Wild

If you've integrated with Stripe, GitHub, or AWS, you've used HMAC. Stripe signs webhook payloads with HMAC-SHA256 so you can verify they actually came from Stripe. AWS uses HMAC-SHA256 in Signature Version 4 for API request signing. JWTs with the HS256 algorithm are literally HMAC-SHA256 under the hood. This tool lets you generate and verify these signatures without writing code.

HMAC vs Plain Hashing

A SHA-256 hash of "hello" is always the same regardless of who computed it. An HMAC-SHA256 of "hello" is different for every secret key - so it proves both that the message wasn't tampered with AND that it was created by someone who knows the key. This is the critical difference: hashing gives you integrity, HMAC gives you integrity plus authentication.

Choosing the Right Algorithm

HMAC-SHA256 is the industry default and what you should use unless you have a specific reason not to. HMAC-SHA384 and HMAC-SHA512 produce longer outputs for higher security margins. HMAC-SHA1 is supported for backward compatibility with older systems but shouldn't be used in new implementations. The algorithm choice doesn't affect how HMAC fundamentally works - it just determines the underlying hash function.

Security and Privacy

This tool runs entirely in your browser using the Web Crypto API - the same cryptographic implementation that handles TLS. Your secret key never touches a server. You can verify this by running the tool offline. For production use, always keep your HMAC keys in environment variables or secret management systems, never in client-side code.

Security and Privacy

Your data security is our priority

Local Processing

All processing happens in your browser

No Data Transfer

Your data is not sent to our servers

No Data Storage

No data is stored or shared

SSL Encryption

SSL encryption for secure connection

Next Step

Also on MoreOnlineTools