Your data is never sent to a server or stored anywhere. All processing happens in your browser.

HMAC Generator

Algorithm
HMAC Output

How to Use

  1. Enter the message text you want to authenticate.
  2. Enter the secret key used for HMAC computation.
  3. Select a hash algorithm (SHA-1, SHA-256, SHA-384, or SHA-512).
  4. The HMAC is generated in real time as you type.
  5. Click the copy button to copy the HMAC to your clipboard.

What is HMAC?

HMAC (Hash-based Message Authentication Code) is a mechanism for verifying both the integrity and authenticity of a message. It combines a secret key with a hash function to produce a unique signature. Unlike plain hashes, HMAC requires knowledge of the secret key, making it resistant to tampering.

Common Use Cases

  • API authentication: Signing API requests to verify the sender's identity (e.g., webhook signatures).
  • Data integrity: Ensuring a message has not been altered during transmission.
  • Token generation: Creating secure tokens for session management or password reset flows.
  • Digital signatures: Used as a building block in protocols like OAuth, JWT, and TLS.

Algorithm Selection

  • HMAC-SHA1: 160-bit output. Widely supported but SHA-1 is considered weak for standalone hashing. HMAC-SHA1 remains safe for message authentication, but prefer SHA-256 for new projects.
  • HMAC-SHA256: 256-bit output. The most commonly recommended choice. Used by AWS, Stripe, GitHub webhooks, and most modern APIs.
  • HMAC-SHA384: 384-bit output. Offers higher security margin than SHA-256. Used in government and financial applications.
  • HMAC-SHA512: 512-bit output. Maximum security. Can be faster than SHA-256 on 64-bit systems due to native 64-bit operations.

Security Notes

  • Never reuse the same secret key across different applications or services.
  • Use a cryptographically random key of at least the same length as the hash output (e.g., 32 bytes for HMAC-SHA256).
  • Always compare HMAC values using constant-time comparison functions to prevent timing attacks.
  • Keep your secret keys confidential — anyone with the key can generate valid HMACs.
  • This tool is intended for testing and debugging. In production, use your programming language's crypto library.

Privacy

All HMAC computation happens in your browser using the Web Crypto API (crypto.subtle). Your message and secret key are never sent to a server.