Skip to content

HMAC Generator

Sign messages securely in your browser

Choose an algorithm, enter your secret and message, and instantly get the hex and Base64 digests.

Preset templates

Algorithm

Secret key

Message

Digest preview

hex: (waiting)

Hex

awaiting result...

Base64

awaiting result...

What Is HMAC?

HMAC (Hash-based Message Authentication Code) combines a cryptographic hash function with a secret key to produce a fixed-length digest that proves both the integrity and authenticity of a message. Unlike a plain hash, HMAC requires the same secret on both sides, so an attacker who can see the message cannot forge a valid signature without knowing the key. HMAC is defined in RFC 2104 and is supported by every major programming language and cloud platform.

How to Use This Tool

Enter your secret key and the message you want to sign, then select a hash algorithm. The tool computes the HMAC in real time using the Web Crypto API -- nothing leaves your browser. Both the hex and Base64 representations are displayed, and you can copy either with a single click. To get started quickly, choose one of the preset templates (AWS Signature V4, Stripe Webhook, or GitHub Webhook) and the key field will be pre-filled with an example value along with a contextual note.

Choosing the Right Algorithm

SHA-256 is the most widely adopted choice and is required by AWS Signature V4, Stripe, and GitHub webhooks. SHA-384 and SHA-512 offer larger digests and may be preferred in high-security contexts or when compliance standards mandate them. SHA-1 is still supported for legacy compatibility, but it is considered weak and should be avoided for new integrations.

Real-World Applications

  • API authentication: Services like AWS sign every request with HMAC-SHA256 to verify the caller's identity without transmitting the secret.
  • Webhook verification: Stripe and GitHub attach an HMAC signature header so your server can confirm the payload was not tampered with in transit.
  • Token generation: JWT libraries use HMAC when the signing algorithm is HS256, HS384, or HS512.
  • Data integrity: File transfer systems compute HMAC digests so the receiver can detect corruption or tampering.

FAQs

What is the difference between HMAC and a regular hash?

A regular hash like SHA-256 only provides integrity — anyone can compute it. HMAC combines a hash with a secret key to provide both integrity and authentication. Only someone with the key can generate or verify the HMAC.

How long should the HMAC key be?

The key should be at least as long as the hash output (e.g. 32 bytes for HMAC-SHA256). Shorter keys are padded, longer keys are hashed first. Use a cryptographically random key, not a simple string.

How is HMAC used for API authentication?

Many APIs (AWS, Stripe, GitHub webhooks) use HMAC to sign requests. The sender computes an HMAC of the request body using a shared secret and includes it in a header. The receiver recomputes the HMAC and compares.

What are timing attacks and how does HMAC prevent them?

A timing attack measures how long string comparison takes to detect which bytes match. Secure HMAC verification uses constant-time comparison (comparing all bytes regardless of mismatches) to prevent this side-channel attack.

Which HMAC algorithm should I use?

HMAC-SHA256 is the most common choice, offering a good balance of security and performance. Use HMAC-SHA512 for extra security margin. Avoid HMAC-MD5 and HMAC-SHA1 for new applications.

Is Free HMAC Generator Online — SHA-256, SHA-512 & More free to use?

Free HMAC Generator Online — SHA-256, SHA-512 & More is completely free and runs in your browser.

Does Free HMAC Generator Online — SHA-256, SHA-512 & More send my data to a server?

No. Free HMAC Generator Online — SHA-256, SHA-512 & More processes input directly in your browser.

Do I need to create an account to use Free HMAC Generator Online — SHA-256, SHA-512 & More?

No account is required to use Free HMAC Generator Online — SHA-256, SHA-512 & More.

Privacy-first by design

Tool inputs are processed in your browser. Review the Privacy Policy and Terms for full details.

Related Tools

All Tools

UUID Generator

Generate unique UUIDs for your applications.

Open Tool →

Hash Generator

Generate MD5, SHA1, SHA256 hashes securely.

Open Tool →

Password Generator

Generate strong, secure passwords in seconds.

Open Tool →

Color Palette Generator

Generate Tailwind palettes, CSS variables, and WCAG contrast checks.

Open Tool →