DevCoreTools
Security & Crypto

HMAC Generator

Generate keyed HMAC signatures for text messages in your browser using common SHA algorithms.

Message and secret key

The message is encoded as UTF-8. Choose how the secret key should be decoded.

Processed locally in your browser. Your input is processed in your browser and is not uploaded or sent to a server. Avoid pasting production secrets, access tokens, private keys, passwords, or sensitive customer data unless you understand the risk.
0 charactersUTF-8 message
Use neutral test credentials, not production secrets.
Load a neutral sample

HMAC authenticates; it does not encrypt. Anyone who can read the message can still see its content. HMAC-SHA-1 is legacy; prefer HMAC-SHA-256 or HMAC-SHA-512 for modern integrations.

HMAC result

Generate a signature to see result details.

Enter a message and secret key, then generate an HMAC.

HMAC-SHA-256 with hexadecimal output is selected by default.

Comparison uses every signature byte and avoids an early exit where practical in browser code.

Generate an HMAC before verifying an expected signature.

What is an HMAC Generator?

An HMAC Generator combines a message, a shared secret key, and a cryptographic hash algorithm to create a message authentication code. A receiver with the same key can independently calculate the HMAC and compare signatures.

HMAC vs hash

A regular hash depends only on the input, so anyone can reproduce it. HMAC also requires a secret key, allowing systems that share the key to detect changed messages and authenticate their source.

HMAC vs encryption

HMAC protects integrity and authenticity, not confidentiality. It does not hide message content. Use encryption separately when the message itself must remain unreadable to unauthorized parties.

Common HMAC use cases

  • Verify webhook payload signatures
  • Sign API requests and canonical request strings
  • Authenticate messages between trusted services
  • Detect changes to signed configuration or metadata

Choosing SHA-256 or SHA-512

HMAC-SHA-256 is the common default for modern APIs and webhook providers. Choose HMAC-SHA-512 when a protocol requires its longer output. Match the exact algorithm and encoding documented by the system you integrate with.

API and webhook verification basics

Verify the exact raw bytes and canonical format required by the provider, decode the shared secret correctly, and compare signatures without stopping at the first differing byte. Production services should also validate timestamps and reject replayed requests where supported.

Keep working

Hash GeneratorGenerate text hashes and file checksums locally with common MD5 and SHA algorithms.JWT DecoderDecode JWT headers, payloads, claims, and timestamps locally.Base64 Encoder/DecoderEncode and decode Base64 and Base64URL text in your browser.
URL Encoder/DecoderComing soon
Encode and decode URL components and query-string values.
UUID GeneratorGenerate standards-compliant UUID values in useful formats and batches.Password GeneratorGenerate secure random passwords locally with configurable length and character rules.

Frequently asked questions

Does this HMAC Generator upload my secret key?

No. The message, secret key, generated HMAC, expected HMAC, and verification details stay in your browser and are excluded from analytics.

What is the difference between HMAC and a hash?

A hash requires only the message. HMAC also requires a shared secret key, which makes it suitable for message authentication and integrity checks between trusted parties.

Is HMAC encryption?

No. HMAC does not conceal the message. It creates a keyed signature that can reveal whether the message changed or was signed with a different key.

Which HMAC algorithm should I use?

Use HMAC-SHA-256 for most modern systems. Use HMAC-SHA-512 when an API, protocol, or security standard specifically requires it.

Can I verify webhook signatures with this tool?

Yes for test data. Use the provider's exact message bytes, key encoding, hash algorithm, and output encoding. For production verification, implement the provider's timestamp and replay-protection rules in your application.

Should I use HMAC-SHA-1?

Only for legacy compatibility when a system requires it. Prefer HMAC-SHA-256 or HMAC-SHA-512 for new integrations.