HMAC Generator

Compute HMAC signatures using SHA-256 or SHA-512 with your secret key — verify webhooks and API authenticity.

HMAC Signature

More Hash Tools

All Hash Algorithms MD5 Generator SHA-256 Generator SHA-512 Generator File Checksum

Related Tools

JWT DecoderColor Picker & ConvTimestamp Converter

What is the HMAC Generator?

HMAC (Hash-based Message Authentication Code) uses a secret key combined with a cryptographic hash function to produce a fixed-length authentication tag. The algorithm works by XOR-ing the key with inner and outer padding constants, then performing two rounds of hashing: first hashing the key + message, then hashing the key + that intermediate result. This construction prevents length-extension attacks and ensures only parties with the secret key can produce valid signatures. HMAC is foundational to webhook verification, JWT signing, and secure API communication.

How to use the HMAC Generator?

  1. Enter your message text in the input field.
  2. Enter your secret key in the key field.
  3. Select the hash algorithm (SHA-256 or SHA-512).
  4. The HMAC signature is computed instantly as you type.
  5. Click 'Copy' to copy the HMAC hex string to your clipboard.
  6. Compare the generated HMAC against expected values to verify webhook signatures or API authenticity.

Frequently Asked Questions

What is HMAC?

HMAC (Hash-based Message Authentication Code) combines a secret key with a hash function to produce a signature that verifies both data integrity and authenticity. Unlike plain hashing, only someone with the key can generate or verify the correct HMAC.

Where is HMAC used?

HMAC is used in API webhook verification (Stripe, GitHub, Slack), JWT signature validation, secure session tokens, message authentication in protocols like TLS, and any scenario requiring proof that a message came from a trusted sender.

HMAC vs plain hash — what's the difference?

A plain hash (SHA-256 of data) can be computed by anyone with the data. An HMAC requires both the data AND a secret key, so only authorized parties can generate valid signatures. This prevents attackers from forging messages.

Is this tool safe for my secret keys?

Yes. All HMAC computation runs locally in your browser using the Web Crypto API. Neither your message nor your key is transmitted to any server.