HMAC Generator
Keyed HMAC-SHA1/256/512 of any message.
— How to use
- 1 Enter the message to authenticate.
- 2 Enter the secret key.
- 3 Choose SHA-1, SHA-256 or SHA-512.
- 4 Copy the hex HMAC digest.
About HMAC Generator
The HMAC Generator computes a hash-based message authentication code from a message and a secret key, returning a lowercase hexadecimal digest.
Unlike a plain hash, an HMAC mixes in a shared secret, so only someone who knows the key can produce or verify the code — that is what proves a message has not been tampered with and really came from the holder of the key.
Choose SHA-1, SHA-256 or SHA-512 as the underlying hash; SHA-256 is the most common choice for webhooks and API signing.
The computation uses the browser's native Web Crypto (SubtleCrypto) implementation.
HMACs are everywhere in modern systems: signing and verifying webhook payloads (Stripe, GitHub and others), authenticating API requests, building one-time passwords, and protecting cookies and tokens against forgery.
Because the key and message never leave your browser, you can safely test real signing secrets without exposing them to any server.
Enter your message and key, pick an algorithm, and copy the resulting digest to compare against an expected signature.
FAQ
How is HMAC different from a plain hash?
HMAC combines the message with a secret key, so the digest can only be produced or verified by someone who knows the key — proving authenticity, not just integrity.
Which algorithm should I use?
HMAC-SHA256 is the common default for webhooks and API signing. Use SHA-512 for a longer digest, or SHA-1 only to match an existing legacy system.