HMAC Generator
Generate HMAC signatures using SHA-256, SHA-384, or SHA-512. Hex and Base64 output. Runs entirely in your browser — no data sent to servers.
How to Use
- Enter the message to authenticate.
- Enter your secret key.
- Choose the algorithm (SHA-256, SHA-384, or SHA-512).
- Choose the output format (Hex or Base64).
- Click Generate HMAC and copy the result.
Common Use Cases
- Webhook verification: Verify that a webhook payload was signed by a trusted sender.
- API request signing: Sign API requests to prove authenticity without sending the secret key itself.
- Data integrity: Attach an HMAC to a message so recipients can verify it was not tampered with.
- Session tokens: Generate tamper-proof session identifiers.
FAQ
What is HMAC?
HMAC (Hash-based Message Authentication Code) is a type of message authentication code that combines a cryptographic hash function with a secret key. It is used to verify both the data integrity and the authenticity of a message.
Is my data sent to any server?
No. The tool uses the browser's built-in Web Crypto API (SubtleCrypto) for all cryptographic operations. Your message and secret key never leave your browser.
Which algorithm should I choose?
SHA-256 is the most widely used and is suitable for most purposes. SHA-384 and SHA-512 provide larger security margins but produce longer outputs. All three are considered secure for HMAC use.
What is the difference between Hex and Base64 output?
Both encode the same binary HMAC value in different text formats. Hex uses lowercase hexadecimal digits (0-9, a-f) and is longer. Base64 is more compact and is commonly used in HTTP headers (e.g. Authorization) and JSON.
Can I use this to verify webhook signatures?
Yes. Many services (GitHub, Stripe, Slack) use HMAC-SHA256 to sign webhook payloads. Enter the raw payload as the message and the service's webhook secret as the key, then compare the result to the signature header.