HMAC Generator

Compute an HMAC (keyed hash) of a message using a secret key, with SHA-256, SHA-1, SHA-384, or SHA-512. Output in hex and Base64. Runs entirely in your browser.

About this tool

HMAC (Hash-based Message Authentication Code) combines a secret key with a message to produce a tag that proves both the integrity and the authenticity of the message: only someone holding the same key can generate or verify the tag. It is the mechanism behind signed webhooks (Stripe, GitHub, Shopify), API request signing (AWS Signature), and the HS256/HS384/HS512 family of JWT signatures. This tool computes the HMAC of your message under a chosen hash function and secret, showing the result in both hexadecimal and Base64 so you can match whatever format your API expects. Unlike a plain hash, an HMAC cannot be forged or recomputed by someone who does not know the key, which is exactly why it is used to authenticate. The key and message are processed locally with the browser's Web Crypto API and never transmitted.

How to use it

  • Pick the hash algorithm your system uses (SHA-256 is the most common).
  • Enter the shared secret key.
  • Enter or paste the message to authenticate.
  • Copy the resulting tag in hex or Base64 to compare against the expected signature.

Frequently asked questions

How is an HMAC different from a plain hash?
A plain hash like SHA-256 can be computed by anyone, so it only detects accidental changes. An HMAC mixes in a secret key, so only parties who know the key can produce or verify the tag — that proves the message came from a trusted source and was not tampered with.
What is HMAC used for?
Verifying webhook payloads (the sender signs with a shared secret and you recompute to confirm), signing API requests, and the HS256/HS384/HS512 JWT signature algorithms. Anywhere two parties share a secret and need to authenticate messages.
Should I output hex or Base64?
It depends on what the other system expects. GitHub webhooks send a hex digest prefixed with "sha256="; many other APIs use Base64. This tool shows both so you can match either convention exactly.
Which hash function should I choose?
HMAC-SHA256 is the modern default and is what most APIs and JWT HS256 use. SHA-384 and SHA-512 give longer tags; HMAC-SHA1 is still seen in older systems and, because the key protects it, remains acceptable for HMAC despite SHA-1 being weak as a plain hash.
Does the key length matter?
Longer, high-entropy keys are stronger. Web Crypto accepts any key length; keys longer than the hash block size are themselves hashed first, per the HMAC spec. Use a random secret of at least the hash output length for real security.
Is my secret key sent anywhere?
No. The key and message are used only by the in-browser Web Crypto API. Nothing is transmitted or stored, so it is safe to test with real signing secrets.

Related tools