Your data is never sent to a server or stored anywhere. All processing happens in your browser.

HMAC Generator

Algorithm
HMAC Output

How to Use


  1. Enter the message text you want to authenticate.
  2. Enter the secret key used for HMAC computation.
  3. Select a hash algorithm (SHA-1, SHA-256, SHA-384, or SHA-512).
  4. The HMAC is generated in real time as you type.
  5. Click the copy button to copy the HMAC to your clipboard.

What is HMAC?


HMAC (Hash-based Message Authentication Code) is a mechanism for verifying both the integrity and authenticity of a message. It combines a secret key with a hash function to produce a unique signature. Unlike plain hashes, HMAC requires knowledge of the secret key, making it resistant to tampering.

Common Use Cases


  • API authentication: Signing API requests to verify the sender's identity (e.g., webhook signatures).
  • Data integrity: Ensuring a message has not been altered during transmission.
  • Token generation: Creating secure tokens for session management or password reset flows.
  • Digital signatures: Used as a building block in protocols like OAuth, JWT, and TLS.

Algorithm Selection


  • HMAC-SHA1: 160-bit output. Widely supported but SHA-1 is considered weak for standalone hashing. HMAC-SHA1 remains safe for message authentication, but prefer SHA-256 for new projects.
  • HMAC-SHA256: 256-bit output. The most commonly recommended choice. Used by AWS, Stripe, GitHub webhooks, and most modern APIs.
  • HMAC-SHA384: 384-bit output. Offers higher security margin than SHA-256. Used in government and financial applications.
  • HMAC-SHA512: 512-bit output. Maximum security. Can be faster than SHA-256 on 64-bit systems due to native 64-bit operations.

Security Notes


  • Never reuse the same secret key across different applications or services.
  • Use a cryptographically random key of at least the same length as the hash output (e.g., 32 bytes for HMAC-SHA256).
  • Always compare HMAC values using constant-time comparison functions to prevent timing attacks.
  • Keep your secret keys confidential — anyone with the key can generate valid HMACs.
  • This tool is intended for testing and debugging. In production, use your programming language's crypto library.

Privacy


All HMAC computation happens in your browser using the Web Crypto API (crypto.subtle). Your message and secret key are never sent to a server.

FAQ


How is HMAC different from a plain hash like SHA-256?

A plain hash is computed from the input alone, so anyone who knows the input can reproduce it. HMAC also mixes in a secret key, so someone without the key cannot forge the correct value — which is what makes it useful for tamper detection and sender authentication.

Are the message and secret key I enter sent to a server?

No. All HMAC computation happens in your browser using the Web Crypto API (crypto.subtle). Your message and secret key are never sent to a server, stored, or logged.

Which hash algorithm should I choose?

HMAC-SHA256 is recommended for most use cases and is used by AWS, Stripe, and GitHub webhooks. Choose SHA-384 or SHA-512 when you need a higher security margin, and use SHA-1 only for legacy compatibility.

Can I use the HMAC generated here in production?

This tool is meant for testing, debugging, and verifying things like webhook signatures. In a production app, don't type secret keys into a browser — generate and verify HMACs server-side using your language's crypto library.

How should I handle the secret key?

Use a cryptographically random key at least as long as the hash output (32 bytes for HMAC-SHA256) and don't reuse it across services. Anyone with the key can generate valid HMACs, so it must be kept strictly confidential.