🔑

HMAC Generator — SHA-256 · SHA-512 · Webhook & API Authentication

HMAC-SHA1 · HMAC-SHA256 · HMAC-SHA384 · HMAC-SHA512 · Webhook verify · Batch · API signing · 100% browser-side

Key:
Output:
Samples:
MESSAGE / DATA TO SIGN
SECRET KEY

🔒 Key never leaves your browser — processed via Web Crypto API

0
HMAC SIGNATURES
🔑

Enter message + secret key to generate HMAC

HMAC-SHA256 · HMAC-SHA512 · Real-time · Web Crypto API

HMAC-SHA-1160-bit · 20 bytes · Legacy
HMAC-SHA-256256-bit · 32 bytes · Standard ✓★ Recommended
HMAC-SHA-384384-bit · 48 bytes · High security
HMAC-SHA-512512-bit · 64 bytes · Maximum
🔍 Verify HMAC Signature
Ctrl+L ClearCtrl+S DownloadCtrl+Shift+C Copy active HMACP Pin
💡

Generate HMAC signatures for API authentication, webhook verification, and JWT signing. Supports HMAC-SHA1, HMAC-SHA256, HMAC-SHA384, and HMAC-SHA512 simultaneously. UTF-8, Hex, and Base64 key formats. Verify mode confirms signature authenticity. All computation via Web Crypto API — your secret key never leaves your browser.

What is HMAC?

HMAC (Hash-based Message Authentication Code) is a cryptographic technique that combines a hash function with a secret key. Unlike a plain hash which only verifies data integrity, HMAC also proves authenticity — only someone with the correct secret key can produce a valid HMAC. It is the backbone of API authentication, webhook verification, and JWT signatures.

HMAC-SHA256 vs HMAC-SHA512

HMAC-SHA256 is the current industry standard — used by AWS Signature V4, GitHub webhooks, Stripe, Shopify, and most modern REST APIs. It produces a 64-character hex signature. HMAC-SHA512 provides extra security with a 128-character hex signature and is preferred for banking, fintech, and high-security systems. Both are secure — choose SHA256 for compatibility and SHA512 for maximum security.

Frequently Asked Questions

What is HMAC?

HMAC combines a hash function with a secret key to prove both data integrity and authenticity. Used in webhook signing, API request authentication, and JWT HS256 signatures.

Which HMAC algorithm should I use?

HMAC-SHA256 for most APIs (AWS, GitHub, Stripe). HMAC-SHA512 for banking and high-security systems. Avoid HMAC-SHA1 in new systems.

How do I verify a GitHub webhook?

Compute HMAC-SHA256 of the raw request body using your webhook secret. Prepend "sha256=" and compare with X-Hub-Signature-256 header using constant-time comparison.

Is my secret key safe?

100% safe. All HMAC computation uses the Web Crypto API in your browser. Your key is never sent to any server or stored anywhere.

What key format should I use?

UTF-8 for string secrets (webhook secrets, API keys). Hex when secret is stored as hex bytes. Base64 when secret is Base64-encoded (JWT libraries, AWS SDK).

Related Developer Tools

#Hash GeneratorMD5 · SHA-256 · SHA-512🔐JWT DecoderDecode & verify JWT tokens🔒AES Encrypt/DecryptAES-256-GCM encryption🔢Base64 EncoderEncode & decode Base64