HMAC Generator

Generate HMAC-SHA256 from message and key.

Security
Algorithm:

About HMAC Generator

HMAC (Hash-based Message Authentication Code) is a specific construction for computing a message authentication code using a cryptographic hash function combined with a secret key. Unlike a plain hash, which anyone can compute, an HMAC requires knowledge of the secret key — making it suitable for verifying both message integrity and sender authenticity. The HMAC algorithm works by hashing the message with the key in two passes (inner and outer padding), producing a signature that is infeasible to forge without the key. This tool supports HMAC-SHA-256, HMAC-SHA-384, and HMAC-SHA-512, all computed using the browser's native Web Crypto API. HMAC is widely used in REST API authentication (e.g., AWS Signature V4), webhook verification (e.g., GitHub, Stripe), JWT signing, and secure communication protocols. For plain hash generation, see our Hash Generator.

How to Use HMAC Generator

  1. Enter the message you want to authenticate in the message field.
  2. Enter your secret key — this should be kept confidential and shared only with the party that needs to verify the HMAC.
  3. Select the algorithm: SHA-256 is the most common choice; SHA-512 provides stronger security.
  4. Click Compute HMAC to generate the hexadecimal HMAC signature.
  5. Copy the result and use it in your API requests, webhook configurations, or security implementations.

Key Features

  • Multiple algorithms — Supports HMAC-SHA-256, HMAC-SHA-384, and HMAC-SHA-512 for different security requirements.
  • Web Crypto API — Uses the browser's native cryptographic library for standards-compliant, high-performance computation.
  • Hexadecimal output — HMAC signatures are displayed in standard hex format for easy integration.
  • Complete privacy — Your message and secret key never leave your browser. No server processing involved.
  • Developer-friendly — Perfect for testing API signatures, debugging webhook verification, and prototyping security flows.

When to Use This Tool

  • Testing API request signatures that require HMAC authentication (e.g., AWS, payment gateways).
  • Verifying webhook payloads from services like GitHub, Stripe, or Slack.
  • Debugging HMAC mismatches in your application by comparing expected and actual signatures.
  • Learning how HMAC works and experimenting with different algorithms and inputs.
  • Generating HMAC values for documentation, test cases, or integration guides.

Technical Details

HMAC is defined in RFC 2104 and works by computing H((K' ⊕ opad) || H((K' ⊕ ipad) || message)), where H is the hash function, K' is the key padded to the block size, and ipad/opad are fixed padding constants. This two-pass construction makes HMAC resistant to length-extension attacks that affect plain hash functions. The tool uses the Web Crypto API's crypto.subtle.importKey() and crypto.subtle.sign() methods for HMAC computation. HMAC-SHA-256 produces a 64-character hex output (256 bits), HMAC-SHA-384 produces 96 hex characters, and HMAC-SHA-512 produces 128 hex characters. For strong security, use a key that is at least as long as the hash output (e.g., 32 bytes for HMAC-SHA-256). For related security tools, see our JWT Decoder and Bcrypt Generator.

Conclusion

The HMAC Generator is an essential developer tool for computing keyed message authentication codes directly in your browser. Whether you're testing API signatures, verifying webhooks, or learning about message authentication, this tool provides fast, private, and standards-compliant HMAC computation.

Frequently Asked Questions

What is HMAC?
HMAC (Hash-based Message Authentication Code) combines a secret key with a message and hashes them using a specific construction. It proves that the message was not altered and was created by someone who knows the secret key, providing both integrity and authenticity verification.
Is my data sent to a server?
No. HMAC is computed entirely in your browser using the Web Crypto API. Your message and secret key never leave your device, ensuring complete confidentiality.
When is HMAC used in practice?
HMAC is commonly used for API request authentication (e.g., AWS Signature V4), webhook payload verification (e.g., GitHub, Stripe), JWT signing with HS256/HS512 algorithms, and secure inter-service communication.
How is HMAC different from a regular hash?
A regular hash (e.g., SHA-256) can be computed by anyone with the input data. HMAC requires a secret key, so only parties who possess the key can generate or verify the signature. This makes HMAC suitable for authentication, while plain hashes are only suitable for integrity checks.