Sign messages securely in your browser

What Is HMAC?

HMAC (Hash-based Message Authentication Code) combines a cryptographic hash function with a secret key to produce a fixed-length digest that proves both the integrity and authenticity of a message. Unlike a plain hash, HMAC requires the same secret on both sides, so an attacker who can see the message cannot forge a valid signature without knowing the key. HMAC is defined in RFC 2104 and is supported by every major programming language and cloud platform.

How to Use This Tool

Enter your secret key and the message you want to sign, then select a hash algorithm. The tool computes the HMAC in real time using the Web Crypto API -- nothing leaves your browser. Both the hex and Base64 representations are displayed, and you can copy either with a single click. To get started quickly, choose one of the preset templates (AWS Signature V4, Stripe Webhook, or GitHub Webhook) and the key field will be pre-filled with an example value along with a contextual note.

Choosing the Right Algorithm

SHA-256 is the most widely adopted choice and is required by AWS Signature V4, Stripe, and GitHub webhooks. SHA-384 and SHA-512 offer larger digests and may be preferred in high-security contexts or when compliance standards mandate them. SHA-1 is still supported for legacy compatibility, but it is considered weak and should be avoided for new integrations.

Real-World Applications

• API authentication: Services like AWS sign every request with HMAC-SHA256 to verify the caller's identity without transmitting the secret.
• Webhook verification: Stripe and GitHub attach an HMAC signature header so your server can confirm the payload was not tampered with in transit.
• Token generation: JWT libraries use HMAC when the signing algorithm is HS256, HS384, or HS512.
• Data integrity: File transfer systems compute HMAC digests so the receiver can detect corruption or tampering.