#

HMAC-SHA256 Generator Online — API Authentication & Webhook Signing

All 4 algorithms simultaneously · HMAC mode · File hashing · Compare · Batch · 100% browser-side

Show:
INPUT — TEXT / STRING
0 B
HASH RESULTS
#

Type text → get all 4 hashes instantly

MD5 · SHA-1 · SHA-256 · SHA-512 · Real-time

MD5128-bit · 32 hex chars · Fast · Not for security
SHA-1160-bit · 40 hex chars · Deprecated for security
SHA-256256-bit · 64 hex chars · Industry standard
SHA-512512-bit · 128 hex chars · Maximum security
🔍 Compare Hash — Verify File / Data Integrity
Ctrl+L ClearCtrl+S DownloadCtrl+Shift+C Copy SHA-256P Pin
💡

Generate HMAC-SHA256 signatures for API authentication and webhook verification. Enter your message and secret key — get the HMAC-SHA256 signature instantly. Used by GitHub webhooks, Stripe, AWS Signature V4, and JWT HS256. 100% browser-side — your secret key never leaves your device.

What is a Hash Function?

A hash function converts any input — text, password, file — into a fixed-length string of hexadecimal characters. The same input always produces the same hash, but even a single character change produces a completely different hash. Hashes are one-way — you cannot reverse them to recover the original input.

MD5 vs SHA-1 vs SHA-256 vs SHA-512

MD5 (128-bit, 32 hex chars) is fast and widely used for non-security checksums but is cryptographically broken. SHA-1 (160-bit, 40 hex chars) is deprecated for security use since 2017. SHA-256 (256-bit, 64 hex chars) is the current industry standard — used in SSL certificates, Bitcoin, and code signing. SHA-512 (512-bit, 128 hex chars) offers maximum security for highly sensitive applications.

Frequently Asked Questions

What is HMAC-SHA256?

HMAC-SHA256 (Hash-based Message Authentication Code using SHA-256) combines your message with a secret key using SHA-256 to produce a signature. It verifies both data integrity (hash) and authenticity (secret key).

How do I use HMAC-SHA256 for API authentication?

Enable HMAC toggle, enter your API secret, and paste your request body or canonical request string. The output is your HMAC-SHA256 signature. Include it in your request header as specified by the API documentation.

How do I verify GitHub webhook signatures?

GitHub sends X-Hub-Signature-256 with each webhook. Compute HMAC-SHA256 of the raw request body using your webhook secret. If it matches the header value, the webhook is authentic.

What is the difference between HMAC-MD5, HMAC-SHA256, and HMAC-SHA512?

All three use the same HMAC construction but with different underlying hash functions. HMAC-MD5 is legacy. HMAC-SHA256 is the current standard for most APIs. HMAC-SHA512 offers extra security for high-value systems.

Is my secret key safe?

Yes. HMAC computation happens entirely in your browser. Your secret key is never sent to any server, stored in any database, or logged anywhere. Close the browser tab to clear it from memory.

Related Developer Tools

🔑HMAC GeneratorHMAC-SHA256 · API auth🔒Bcrypt GeneratorPassword hashing with salt🔢Base64 EncoderEncode text & files to Base64🔗URL Encode/DecodePercent encoding tool