🔑

Message Authentication Code (MAC) Generator — HMAC Online

HMAC-SHA1 · HMAC-SHA256 · HMAC-SHA384 · HMAC-SHA512 · Webhook verify · Batch · API signing · 100% browser-side

Key:
Output:
Samples:
MESSAGE / DATA TO SIGN
SECRET KEY

🔒 Key never leaves your browser — processed via Web Crypto API

0
HMAC SIGNATURES
🔑

Enter message + secret key to generate HMAC

HMAC-SHA256 · HMAC-SHA512 · Real-time · Web Crypto API

HMAC-SHA-1160-bit · 20 bytes · Legacy
HMAC-SHA-256256-bit · 32 bytes · Standard ✓★ Recommended
HMAC-SHA-384384-bit · 48 bytes · High security
HMAC-SHA-512512-bit · 64 bytes · Maximum
🔍 Verify HMAC Signature
Ctrl+L ClearCtrl+S DownloadCtrl+Shift+C Copy active HMACP Pin
💡

A Message Authentication Code (MAC) verifies both the integrity and authenticity of a message. HMAC is the most widely used MAC construction — it combines SHA-256 or SHA-512 with a shared secret key. Used in TLS, SSH, IPSec, and all modern authentication protocols.

What is HMAC?

HMAC (Hash-based Message Authentication Code) is a cryptographic technique that combines a hash function with a secret key. Unlike a plain hash which only verifies data integrity, HMAC also proves authenticity — only someone with the correct secret key can produce a valid HMAC. It is the backbone of API authentication, webhook verification, and JWT signatures.

HMAC-SHA256 vs HMAC-SHA512

HMAC-SHA256 is the current industry standard — used by AWS Signature V4, GitHub webhooks, Stripe, Shopify, and most modern REST APIs. It produces a 64-character hex signature. HMAC-SHA512 provides extra security with a 128-character hex signature and is preferred for banking, fintech, and high-security systems. Both are secure — choose SHA256 for compatibility and SHA512 for maximum security.

Frequently Asked Questions

What is a Message Authentication Code (MAC)?

A MAC is a short piece of information used to authenticate a message. It is computed from the message and a secret key. Both sender and receiver must know the secret key. If the MAC matches, the message is authentic and unmodified.

MAC vs Digital Signature — what is the difference?

MAC uses a shared secret key (symmetric) — both parties must have the same key. Digital signatures use asymmetric keys (private to sign, public to verify). MACs are faster; digital signatures are better for non-repudiation.

Is HMAC the same as a MAC?

HMAC is a specific type of MAC that uses a hash function internally. Other MAC constructions exist (CMAC, GMAC, Poly1305) but HMAC is the most widely used due to its simplicity and proven security.

What does "message authentication" mean?

Authentication here means proving the message came from someone who knows the secret key — not just that the data was not corrupted. A plain checksum (CRC32) ensures integrity but not authenticity.

Which protocols use HMAC?

TLS 1.2 uses HMAC for record authentication. SSH uses HMAC for packet integrity. IPSec uses HMAC for tunnel authentication. OAuth 1.0 used HMAC-SHA1 for request signing (now mostly replaced by OAuth 2.0 + JWT).

Related Developer Tools

#Hash GeneratorMD5 · SHA-256 · SHA-512🔐JWT DecoderDecode & verify JWT tokens🔒AES Encrypt/DecryptAES-256-GCM encryption🔢Base64 EncoderEncode & decode Base64