HMAC Generator

Generate HMAC signatures using SHA-256, SHA-384, and SHA-512 algorithms

Enter the message or data to authenticate

Enter the secret key for HMAC generation (keep this private)

What is an HMAC Generator?

An HMAC (Hash-based Message Authentication Code) generator creates a cryptographic signature by combining your data with a secret key. Unlike regular hashes, HMAC requires both the message and a secret key, making it perfect for verifying both data integrity and authenticity. Only someone with the correct secret key can generate a valid HMAC signature.

How to Use

  1. Enter your message or data in the input text field
  2. Enter your secret key (keep this private and secure)
  3. Select an HMAC algorithm (HMAC-SHA256 is recommended)
  4. Click "Generate HMAC" to create the signature
  5. Copy the HMAC in hex or base64 format as needed

Example

Input text:

Hello, World!

Secret key:

my-secret-key

HMAC-SHA256 (hex):

2d8c2f6d978ca21712b5f6de36c9d31fa8e96a4fa5d8ff8b0188dfb9e7c171bb

HMAC-SHA256 (base64):

LYwvbZeMohcStfbeNsnTH6jpavrV2P+LAYjfuefBcbs=

Supported Algorithms

  • HMAC-SHA256: Most widely used, provides 256-bit signatures. Recommended for API authentication, webhooks, and JWT signing.
  • HMAC-SHA384: Stronger variant providing 384-bit signatures. Good balance of security and performance.
  • HMAC-SHA512: Strongest variant providing 512-bit signatures. Maximum security for sensitive applications.

Common Use Cases

  • API Authentication: Sign API requests to prove they came from an authorized source
  • Webhook Verification: Verify webhook payloads from services like GitHub, Stripe, or Slack
  • JWT Signing: Create and verify JSON Web Token signatures
  • Message Authentication: Ensure messages haven't been tampered with in transit
  • Data Integrity: Verify data hasn't been modified in distributed systems

Output Formats

This tool provides HMAC output in two formats:

  • Hex (Hexadecimal): Uses 0-9 and a-f characters. More readable and commonly used for debugging. Twice as long as the raw bytes.
  • Base64: Uses A-Z, a-z, 0-9, +, and / characters. More compact and commonly used in APIs and HTTP headers.

Security Best Practices

  • Use strong, random secret keys of at least 32 characters (256 bits)
  • Never share or expose your secret keys publicly
  • Use HMAC-SHA256 or stronger algorithms for production systems
  • Rotate secret keys periodically for enhanced security
  • Use constant-time comparison when verifying HMACs to prevent timing attacks
  • Store secret keys securely using environment variables or key management systems

Technical Notes

This tool uses the browser's native Web Crypto API (crypto.subtle.sign with HMAC), which provides secure, hardware-accelerated cryptographic operations. The Web Crypto API requires a secure context (HTTPS or localhost) to function. All HMAC generation happens entirely in your browser—your data and secret keys never leave your device.

Privacy Notice

All HMAC generation happens entirely in your browser. Your input data and secret key are never transmitted to any server, ensuring complete privacy. This is especially important when working with sensitive data or production secret keys.

Related Tools

Hash Generator

Generate SHA hashes for text and data

security

JWT Generator

Generate JSON Web Tokens with multiple algorithm support and custom claims

api-tools
Coming Soon

JWT Signature Verifier

Verify JWT token signatures with key validation and expiration checking

api-tools

Password Generator

Generate cryptographically secure random passwords with customizable strength

security