🔑

HMAC-SHA256 Generator Online — AWS · GitHub · Stripe Webhook Signing

HMAC-SHA1 · HMAC-SHA256 · HMAC-SHA384 · HMAC-SHA512 · Webhook verify · Batch · API signing · 100% browser-side

Key:
Output:
Samples:
MESSAGE / DATA TO SIGN
SECRET KEY

🔒 Key never leaves your browser — processed via Web Crypto API

0
HMAC SIGNATURES
🔑

Enter message + secret key to generate HMAC

HMAC-SHA256 · HMAC-SHA512 · Real-time · Web Crypto API

HMAC-SHA-1160-bit · 20 bytes · Legacy
HMAC-SHA-256256-bit · 32 bytes · Standard ✓★ Recommended
HMAC-SHA-384384-bit · 48 bytes · High security
HMAC-SHA-512512-bit · 64 bytes · Maximum
🔍 Verify HMAC Signature
Ctrl+L ClearCtrl+S DownloadCtrl+Shift+C Copy active HMACP Pin
💡

HMAC-SHA256 is the industry standard for API authentication and webhook signing. Used by AWS Signature V4, GitHub webhooks, Stripe, Shopify, and most REST APIs. Enter your message and secret key to get the HMAC-SHA256 signature instantly.

What is HMAC?

HMAC (Hash-based Message Authentication Code) is a cryptographic technique that combines a hash function with a secret key. Unlike a plain hash which only verifies data integrity, HMAC also proves authenticity — only someone with the correct secret key can produce a valid HMAC. It is the backbone of API authentication, webhook verification, and JWT signatures.

HMAC-SHA256 vs HMAC-SHA512

HMAC-SHA256 is the current industry standard — used by AWS Signature V4, GitHub webhooks, Stripe, Shopify, and most modern REST APIs. It produces a 64-character hex signature. HMAC-SHA512 provides extra security with a 128-character hex signature and is preferred for banking, fintech, and high-security systems. Both are secure — choose SHA256 for compatibility and SHA512 for maximum security.

Frequently Asked Questions

What is HMAC-SHA256?

HMAC-SHA256 uses SHA-256 as the underlying hash to generate a 64-character hex authentication code. It is the most widely supported HMAC variant in modern APIs.

How does AWS use HMAC-SHA256?

AWS Signature V4 uses HMAC-SHA256 to sign API requests. The signature is computed by chaining multiple HMAC operations on the canonical request string with your AWS secret key and region.

How does GitHub use HMAC-SHA256?

GitHub signs webhook payloads with HMAC-SHA256 using your webhook secret. The signature is sent in the X-Hub-Signature-256 header as "sha256=<hex>".

Can I use HMAC-SHA256 for JWT?

Yes. JWT HS256 algorithm uses HMAC-SHA256 to sign the header.payload string. This tool can compute the signature — paste header.payload as message and your JWT secret as key.

HMAC-SHA256 vs HMAC-SHA512?

Both are secure. HMAC-SHA256 produces 64 hex chars and is faster on 32-bit systems. HMAC-SHA512 produces 128 hex chars and is stronger. Choose SHA256 for API compatibility, SHA512 for maximum security.

Related Developer Tools

#Hash GeneratorMD5 · SHA-256 · SHA-512🔐JWT DecoderDecode & verify JWT tokens🔒AES Encrypt/DecryptAES-256-GCM encryption🔢Base64 EncoderEncode & decode Base64