Loading tool…
How to Generate HMAC Signatures
The HMAC Generator computes keyed-hash message authentication codes using SHA-1, SHA-256, SHA-384, or SHA-512 — via the browser's Web Crypto API.
- Enter your message (the data to authenticate) and your secret key.
- Select the hash algorithm (SHA-256 is recommended).
- View the HMAC output in hex or Base64 format and copy it.
What Is HMAC?
HMAC (Hash-based Message Authentication Code) combines a cryptographic hash function with a secret key to produce an authentication tag. Unlike a plain hash, an HMAC proves both integrity (the message was not altered) and authenticity (the sender knows the secret key). HMACs are used in API authentication (e.g., AWS Signature V4), webhook verification, and secure token generation.
Why Use Our HMAC Generator?
- Multiple algorithms — SHA-1, SHA-256, SHA-384, SHA-512.
- Web Crypto powered — native browser API, not a polyfill.
- Hex and Base64 output — choose the format your API expects.
- Private — your secret key never leaves the browser.
Frequently Asked Questions
What is the difference between a hash and an HMAC?
A hash takes only a message as input. An HMAC takes both a message and a secret key. The HMAC proves that the message was created by someone who knows the key, while a plain hash only proves the message was not altered.
Which algorithm should I use?
SHA-256 is the most common choice and is used by AWS, Stripe, GitHub, and most modern APIs. Use SHA-512 for extra security margin.
Can I verify a webhook signature with this?
Yes. Paste the webhook body as the message and your webhook secret as the key. Compare the output with the signature in the webhook header.
Is my secret key safe?
Yes. All computation happens in your browser. The key is never transmitted.