HMAC Generator
Compute HMAC-SHA256, SHA512 and more using Web Crypto API
What is HMAC?
HMAC (Hash-based Message Authentication Code) is a cryptographic mechanism that combines a secret key with a hash function (SHA-256, SHA-512, etc.) to produce a signature that verifies both the integrity and authenticity of a message. It's widely used in API authentication, webhook verification, JWT signing, and secure data transmission.
How to Use HMAC Generator
- Enter your message (the data to authenticate)
- Enter your secret key (keep this private)
- Choose output format: hex or Base64
- Click Generate to compute HMAC for all algorithms at once
Features
- Supports HMAC-SHA1, HMAC-SHA256, HMAC-SHA384, HMAC-SHA512
- Hex and Base64 output formats
- All algorithms computed simultaneously for easy comparison
- Uses the browser's native Web Crypto API — no external libraries
- 100% client-side — your message and key never leave your browser
Frequently Asked Questions
HMAC vs plain hash — what's the difference?
A plain hash (SHA-256, MD5) is deterministic — anyone can compute it from the data alone. HMAC requires a secret key, so only parties with the key can verify or reproduce the signature. This prevents tampering and forgery.
Which algorithm should I use?
HMAC-SHA256 is the most widely used and recommended for most applications. HMAC-SHA512 provides a larger output (512 bits) for higher security margins. HMAC-SHA1 is legacy — still secure as a MAC but avoid it for new systems.
When is HMAC used in practice?
Common uses: verifying GitHub/Stripe webhooks, signing JWT tokens (HS256 = HMAC-SHA256), AWS request signing (SigV4), API key authentication, and cookie tamper detection.
Is my secret key safe?
Yes. This tool uses the browser's built-in Web Crypto API and runs entirely client-side. Your secret key is never transmitted to any server.