HMAC Generator for Signatures and Verification
This HMAC generator creates a Hash-based Message Authentication Code from a secret key and a message, right in your browser. Pair any message with your key and a hash algorithm to produce an authentication code that proves the data is intact and came from someone who holds the key.
It is built for developers who sign and verify webhook payloads, API requests, and JWTs (HS256). Choose from 8 algorithms, feed in String, Hex, or Base64 input, and read the result as both Hex and Base64 at once — with a built-in verify mode to compare against an expected signature.
How to Generate an HMAC
Choose an algorithm
Pick your hash algorithm from the dropdown. SHA-256 is the default and the right choice for most webhooks, APIs, and JWTs. MD5 and SHA-1 are available for legacy use but carry an Insecure badge.
Enter your secret key
Type or paste the key into the Secret Key field. If your key is binary, switch its input type between String, Hex, and Base64 so the bytes are read correctly.
Enter your message
Paste the Message you want to authenticate — for example a raw webhook body. As with the key, set its input type to String, Hex, or Base64 to match the data.
Read and copy the HMAC
The code is generated automatically as you type, shown in both Hex and Base64. Toggle Uppercase for hex if needed, then click the copy button next to either output. To check a value, enable Verify HMAC and paste the expected signature for an instant Match or Mismatch badge.
Features
8 HMAC Algorithms
Generate codes with MD5, SHA-1, SHA-224, SHA-256, SHA-384, SHA-512, SHA3-256, and SHA3-512 to match any integration.
Flexible Input Types
Key and message each accept String (UTF-8), Hex, or Base64 — essential for binary keys from APIs.
Dual Hex and Base64 Output
See both the hexadecimal and Base64 form of your HMAC side by side — no toggling between formats.
Uppercase Hex Toggle
Switch the hex output between lowercase and uppercase to match the format your service expects.
HMAC Verification Mode
Paste an expected value and instantly see Match or Mismatch — accepts Hex or Base64 and normalizes case and whitespace.
Security Labels
Weak algorithms like MD5 and SHA-1 are clearly flagged as Insecure so you avoid them in production.
Real-Time Generation
The HMAC updates automatically as you type or paste, with a status indicator showing the algorithm and bit length.
One-Click Copy
Copy the Hex or Base64 output to your clipboard with a single click on each format's copy button.
Webhook Sample Data
Load a ready-made webhook payload and secret with one click to see exactly how a signature is built.
Client-Side Processing
All computation runs locally in your browser — no keys or messages are ever sent to a server.
Frequently Asked Questions
What is HMAC?
HMAC (Hash-based Message Authentication Code) combines a secret key with a hash function to produce an authentication code. It gives you both integrity and authentication: it proves a message has not been tampered with and that it came from someone who knows the key. It is used for webhook signatures, API request signing (such as AWS Signature V4), and JWT signing (HS256).
Which HMAC algorithm should I use?
SHA-256 is the most widely used and the right default for most cases — it powers Stripe, GitHub, and Shopify webhooks as well as AWS API signatures. Use SHA-512 when you want a larger 512-bit output, or the SHA3 variants for the newest standard.
What is the secret key in HMAC?
The secret key is a shared value known only to the parties exchanging messages — for webhooks it is the signing secret your provider gives you. The same key must be used to generate and to verify a signature; without it, the HMAC cannot be forged or validated.
How do I verify a webhook signature?
Enter the webhook's signing secret as the Secret Key, paste the raw request body as the Message, and select the algorithm your service uses (usually SHA-256). Then enable Verify HMAC and paste the signature from the webhook header to see a Match or Mismatch badge instantly.
What's the difference between Hex and Base64 output?
Hex shows each byte as two hexadecimal characters (0-9, a-f); it is longer but easy to read and debug. Base64 is about 33% shorter and common in HTTP headers and JWTs. This tool displays both at once, so you can copy whichever format your API expects.
When should I use the Hex or Base64 input type for keys?
Select Hex or Base64 when your secret key is provided as raw bytes in that encoding — for example a hex string from an API dashboard. This tells the tool to decode the value before hashing. Most of the time a plain UTF-8 key means you should keep the String input type.
Why are MD5 and SHA-1 marked as insecure?
MD5 and SHA-1 have known collision weaknesses. The HMAC construction still adds protection, so HMAC-MD5 and HMAC-SHA1 remain safe in some legacy contexts, but it is best practice to choose SHA-256 or higher for any new implementation. That is why both are flagged.
Is my data safe?
Yes. Every HMAC is computed entirely in your browser — no data is sent to any server. Your secret keys and messages stay on your device at all times, and nothing is logged or stored.
No comments yet. Be the first to comment!