API Signature Generator — HMAC-SHA256 Request Signing for REST APIs
HMAC-SHA1 · HMAC-SHA256 · HMAC-SHA384 · HMAC-SHA512 · Webhook verify · Batch · API signing · 100% browser-side
🔒 Key never leaves your browser — processed via Web Crypto API
Enter message + secret key to generate HMAC
HMAC-SHA256 · HMAC-SHA512 · Real-time · Web Crypto API
Generate API request signatures for REST API authentication. Enter your canonical request string (method + path + timestamp) as message and your API secret as key. Includes ready-to-use code for Express.js and FastAPI webhook verification middleware.
What is HMAC?
HMAC (Hash-based Message Authentication Code) is a cryptographic technique that combines a hash function with a secret key. Unlike a plain hash which only verifies data integrity, HMAC also proves authenticity — only someone with the correct secret key can produce a valid HMAC. It is the backbone of API authentication, webhook verification, and JWT signatures.
HMAC-SHA256 vs HMAC-SHA512
HMAC-SHA256 is the current industry standard — used by AWS Signature V4, GitHub webhooks, Stripe, Shopify, and most modern REST APIs. It produces a 64-character hex signature. HMAC-SHA512 provides extra security with a 128-character hex signature and is preferred for banking, fintech, and high-security systems. Both are secure — choose SHA256 for compatibility and SHA512 for maximum security.
Frequently Asked Questions
How do I sign API requests with HMAC?
Create a canonical string from your request (method + path + timestamp + body hash). Compute HMAC-SHA256 with your API secret. Include the signature in an Authorization or X-Signature header.
What is AWS Signature V4?
AWS Signature V4 uses HMAC-SHA256 in multiple rounds: first derive a signing key from your secret, region, service, and date. Then sign the canonical request. This tool computes single-round HMAC — for AWS, use the official SDK.
How do I prevent replay attacks in API signing?
Include a Unix timestamp in your canonical string and reject requests where timestamp differs by more than 5 minutes. This prevents attackers from reusing captured signatures.
Should I use HMAC or JWT for API authentication?
HMAC request signing is better for server-to-server APIs (AWS style). JWT is better for user authentication (mobile apps, SPAs). HMAC-SHA256 does not expire by itself — add timestamps manually.
What is the canonical request format?
A canonical request combines HTTP method, URL path, query string, headers, and body in a standardized format before signing. This prevents parameter tampering. The exact format varies by API — check the API documentation.