🔑

HMAC Key Generator — Test UTF-8 · Hex · Base64 Keys Online

HMAC-SHA1 · HMAC-SHA256 · HMAC-SHA384 · HMAC-SHA512 · Webhook verify · Batch · API signing · 100% browser-side

Key:
Output:
Samples:
MESSAGE / DATA TO SIGN
SECRET KEY

🔒 Key never leaves your browser — processed via Web Crypto API

0
HMAC SIGNATURES
🔑

Enter message + secret key to generate HMAC

HMAC-SHA256 · HMAC-SHA512 · Real-time · Web Crypto API

HMAC-SHA-1160-bit · 20 bytes · Legacy
HMAC-SHA-256256-bit · 32 bytes · Standard ✓★ Recommended
HMAC-SHA-384384-bit · 48 bytes · High security
HMAC-SHA-512512-bit · 64 bytes · Maximum
🔍 Verify HMAC Signature
Ctrl+L ClearCtrl+S DownloadCtrl+Shift+C Copy active HMACP Pin
💡

Test HMAC signatures with different key formats — UTF-8 string secrets, hexadecimal byte keys, and Base64-encoded keys. Switch between formats instantly and see how the HMAC output changes. Perfect for debugging key format mismatches in API integrations.

What is HMAC?

HMAC (Hash-based Message Authentication Code) is a cryptographic technique that combines a hash function with a secret key. Unlike a plain hash which only verifies data integrity, HMAC also proves authenticity — only someone with the correct secret key can produce a valid HMAC. It is the backbone of API authentication, webhook verification, and JWT signatures.

HMAC-SHA256 vs HMAC-SHA512

HMAC-SHA256 is the current industry standard — used by AWS Signature V4, GitHub webhooks, Stripe, Shopify, and most modern REST APIs. It produces a 64-character hex signature. HMAC-SHA512 provides extra security with a 128-character hex signature and is preferred for banking, fintech, and high-security systems. Both are secure — choose SHA256 for compatibility and SHA512 for maximum security.

Frequently Asked Questions

What key formats does HMAC support?

HMAC accepts any byte sequence as a key. The format (UTF-8, Hex, Base64) only affects how the key is decoded before use. "secret" as UTF-8 and "736563726574" as Hex are different byte sequences and produce different HMACs.

Why does my HMAC not match?

Common causes: (1) Wrong key format — try switching between UTF-8/Hex/Base64. (2) Using parsed JSON instead of raw body. (3) Different output encoding — Hex vs Base64. (4) Different algorithm — SHA-256 vs SHA-512.

What is a good HMAC key length?

HMAC works with any key length, but the recommended minimum is equal to the hash output size — 32 bytes (256 bits) for HMAC-SHA256, 64 bytes for HMAC-SHA512. Keys longer than the block size are hashed first.

How do I convert a Base64 key to use in this tool?

Paste the Base64-encoded key in the secret field and switch the key format dropdown to Base64. The tool automatically decodes the Base64 bytes before computing the HMAC.

Can I use a hex key from environment variables?

Yes. Many systems store HMAC keys as hex strings in environment variables. Paste the hex key and select Hex as key format. The tool decodes hex bytes and computes the correct HMAC.

Related Developer Tools

#Hash GeneratorMD5 · SHA-256 · SHA-512🔐JWT DecoderDecode & verify JWT tokens🔒AES Encrypt/DecryptAES-256-GCM encryption🔢Base64 EncoderEncode & decode Base64