What is HMAC?

HMAC (Hash-based Message Authentication Code) is a cryptographic mechanism that combines a secret key with a hash function to produce an authentication code. It provides both data integrity and authentication — ensuring that a message hasn't been tampered with and was sent by someone who knows the secret key.

Core Purpose: HMAC verifies both the authenticity and integrity of messages, making it essential for secure communications between systems.

Common Use Cases

Webhook Verification

Services like Stripe, GitHub, and Shopify sign webhook payloads with HMAC-SHA256 so you can verify they're authentic and haven't been tampered with during transmission.

API Authentication

AWS Signature V4 and many REST APIs use HMAC to sign requests, ensuring that API calls come from authorized clients with valid credentials.

JWT Signing

HMAC-SHA256 (HS256) is a common algorithm for JSON Web Tokens, providing a symmetric signing method for stateless authentication.

Message Integrity

Verify that data hasn't been modified during transmission, ensuring the message received is exactly what was sent.

How HMAC Works

HMAC takes two inputs — a secret key and a message — and runs them through a hash function (like SHA-256) in a specific way that makes it computationally infeasible to forge without knowing the key.

HMAC Formula

HMAC(K, m) = H((K' ⊕ opad) || H((K' ⊕ ipad) || m))

Where:

H is the hash function (e.g., SHA-256)
K is the secret key
m is the message to authenticate
opad and ipad are padding constants that ensure security

Security Advantage: The nested hash structure with key padding makes HMAC resistant to length extension attacks and ensures that even if the hash function has weaknesses, the HMAC construction remains secure.

How to Use This HMAC Generator

Choose an Algorithm

Select your HMAC algorithm from the dropdown. SHA-256 is selected by default and recommended for most use cases. MD5 and SHA-1 are available for legacy compatibility but marked as insecure.

Enter Your Secret Key

Type or paste your secret key in the key input field. If your key is in binary format, use the input type selector to switch between String, Hex, or Base64 encoding.

Enter Your Message

Enter the message you want to authenticate. Like the key, you can switch the input type if your message is hex-encoded or base64-encoded.

Get Your HMAC

The HMAC is generated automatically as you type. Both Hex and Base64 outputs are displayed simultaneously. Click the copy button next to either output to copy it to your clipboard.

Verifying an HMAC

To compare your generated HMAC against an expected value, enable the Verify HMAC checkbox. Paste the expected HMAC — the tool accepts both hex and base64 formats and shows a Match or Mismatch badge instantly.

Pro Tip: When verifying webhook signatures, make sure to use the exact raw request body without any modifications. Even a single character difference will cause verification to fail.

Features

8 HMAC Algorithms

Generate HMAC codes with a wide range of hash algorithms to match any integration requirement:

SHA-256 Recommended

The standard choice for webhooks, APIs, and JWT (HS256). Provides excellent security with 256-bit output.

SHA-512

Higher security with 512-bit output. Ideal for applications requiring maximum cryptographic strength.

SHA-384 & SHA-224

Alternative SHA-2 variants offering 384-bit and 224-bit outputs for specific security requirements.

SHA3-256 & SHA3-512

Latest generation SHA-3 algorithms based on the Keccak algorithm, offering modern cryptographic standards.

Legacy Algorithms: SHA-1 and MD5 are available for backward compatibility but marked as insecure. Use SHA-256 or higher for new implementations.

Flexible Input Formats

Both the secret key and message accept three input types, essential when working with binary keys from APIs or debugging encoding mismatches:

String (UTF-8)

Standard text input for human-readable keys and messages. Most common format for API secrets.

Hex

Hexadecimal byte representation. Use when your key is provided as raw hex bytes from API dashboards.

Base64

Base64-encoded binary data. Common in HTTP headers and configuration files.

Dual Output Display

See both Hex and Base64 representations of your HMAC at the same time — no toggling needed. An uppercase toggle lets you switch hex output between lowercase and uppercase.

Hex Output

Hexadecimal Format

Longer representation
Easier to read and debug
Two characters per byte
Uppercase/lowercase toggle

Base64 Output

Base64 Format

33% more compact
Common in HTTP headers
Used in JWT tokens
URL-safe variants available

HMAC Verification

The built-in verify mode lets you paste an expected HMAC value and instantly see whether it matches your generated output. It supports both hex and base64 formats and normalizes whitespace and case for hex comparison.

Instant Validation

Real-time comparison with Match/Mismatch badges as you type.

Format Flexibility

Accepts both hex and base64 input formats automatically.

Smart Normalization

Handles whitespace and case differences in hex values.

Your Data Stays Private

All HMAC computation happens entirely in your browser using the CryptoJS library:

No uploads — Your secret keys and messages never leave your device
No server processing — Everything runs client-side in JavaScript
No tracking — We don't log or store any input data
Offline capable — Works without internet connection once loaded

100% Client-Side: Your sensitive cryptographic keys and data remain completely private. All computations happen locally in your browser with zero server communication.

Frequently Asked Questions

Which HMAC algorithm should I use?

SHA-256 is the most widely used and recommended for most applications. It's used by Stripe, GitHub, Shopify webhooks, and AWS API signatures. Use SHA-512 if you need higher security, or SHA3 variants for the latest standard.

Industry Standard: SHA-256 offers the best balance of security, performance, and compatibility across platforms and services.

Why are MD5 and SHA-1 marked as insecure?

MD5 and SHA-1 have known cryptographic weaknesses — collision attacks have been demonstrated for both. While HMAC-MD5 and HMAC-SHA1 are still considered safe in some contexts (the HMAC construction adds security), it's best practice to use SHA-256 or higher for new implementations.

Migration Recommended: If you're currently using MD5 or SHA-1, plan to migrate to SHA-256 or SHA-512 for long-term security.

What's the difference between Hex and Base64 output?

Hex represents each byte as two hexadecimal characters (0-9, a-f). It's longer but easier to read and debug. Base64 is more compact (about 33% shorter) and commonly used in HTTP headers and JWTs. Choose whichever format your API or service expects.

Format	Length	Common Use	Readability
Hex	64 chars (SHA-256)	Debugging, logs	High
Base64	44 chars (SHA-256)	HTTP headers, JWT	Medium

When should I use the Hex or Base64 input type for keys?

If your secret key is provided as a hex string (e.g., from an API dashboard showing raw bytes) or base64 string, select the matching input type so the tool correctly interprets the binary data. Most of the time, "String" (UTF-8) is the right choice.

String (UTF-8) — Use for regular text passwords and API keys like "my_secret_key_123"
Hex — Use when your key looks like "a3f5b2c8d1e4..." (hexadecimal bytes)
Base64 — Use when your key looks like "SGVsbG8gV29ybGQ=" (base64-encoded)

How do I verify a webhook signature?

Enter the webhook's signing secret as the key, paste the raw request body as the message, select the algorithm your service uses (usually SHA-256), then enable Verify HMAC and paste the signature from the webhook header to check if it matches.

Get Secret

Copy signing secret from service dashboard

Raw Body

Paste exact request body

Verify

Compare with header signature

Critical: Use the raw, unmodified request body. Don't parse or reformat the JSON — even whitespace changes will cause verification to fail.

Is my data safe?

Yes. All HMAC computation runs entirely in your browser — no data is sent to any server. Your secret keys and messages stay on your device at all times.

Client-Side Processing 100%

Data Privacy 100%

Server Uploads 0%