Language
English English Vietnamese (Tiếng Việt) Vietnamese (Tiếng Việt) Chinese (简体中文) Chinese (简体中文) Portuguese (Brazil) (Português do Brasil) Portuguese (Brazil) (Português do Brasil) Spanish (Español) Spanish (Español) Indonesian (Bahasa Indonesia) Indonesian (Bahasa Indonesia)
HMAC Generator

HMAC Generator

Generate and verify HMAC authentication codes with 8 algorithms (SHA-256, SHA-512, SHA3, MD5, and more). Sign and check webhook and API signatures instantly.

HMAC Generator for Signatures and Verification

This HMAC generator creates a Hash-based Message Authentication Code from a secret key and a message, right in your browser. Pair any message with your key and a hash algorithm to produce an authentication code that proves the data is intact and came from someone who holds the key.

It is built for developers who sign and verify webhook payloads, API requests, and JWTs (HS256). Choose from 8 algorithms, feed in String, Hex, or Base64 input, and read the result as both Hex and Base64 at once — with a built-in verify mode to compare against an expected signature.

Private by design: every HMAC is computed entirely in your browser with the CryptoJS library. Your secret keys and messages are never uploaded, logged, or stored on any server.

How to Generate an HMAC

1

Choose an algorithm

Pick your hash algorithm from the dropdown. SHA-256 is the default and the right choice for most webhooks, APIs, and JWTs. MD5 and SHA-1 are available for legacy use but carry an Insecure badge.

2

Enter your secret key

Type or paste the key into the Secret Key field. If your key is binary, switch its input type between String, Hex, and Base64 so the bytes are read correctly.

3

Enter your message

Paste the Message you want to authenticate — for example a raw webhook body. As with the key, set its input type to String, Hex, or Base64 to match the data.

4

Read and copy the HMAC

The code is generated automatically as you type, shown in both Hex and Base64. Toggle Uppercase for hex if needed, then click the copy button next to either output. To check a value, enable Verify HMAC and paste the expected signature for an instant Match or Mismatch badge.

Features

8 HMAC Algorithms

Generate codes with MD5, SHA-1, SHA-224, SHA-256, SHA-384, SHA-512, SHA3-256, and SHA3-512 to match any integration.

Flexible Input Types

Key and message each accept String (UTF-8), Hex, or Base64 — essential for binary keys from APIs.

Dual Hex and Base64 Output

See both the hexadecimal and Base64 form of your HMAC side by side — no toggling between formats.

Uppercase Hex Toggle

Switch the hex output between lowercase and uppercase to match the format your service expects.

HMAC Verification Mode

Paste an expected value and instantly see Match or Mismatch — accepts Hex or Base64 and normalizes case and whitespace.

Security Labels

Weak algorithms like MD5 and SHA-1 are clearly flagged as Insecure so you avoid them in production.

Real-Time Generation

The HMAC updates automatically as you type or paste, with a status indicator showing the algorithm and bit length.

One-Click Copy

Copy the Hex or Base64 output to your clipboard with a single click on each format's copy button.

Webhook Sample Data

Load a ready-made webhook payload and secret with one click to see exactly how a signature is built.

Client-Side Processing

All computation runs locally in your browser — no keys or messages are ever sent to a server.

Frequently Asked Questions

What is HMAC?

HMAC (Hash-based Message Authentication Code) combines a secret key with a hash function to produce an authentication code. It gives you both integrity and authentication: it proves a message has not been tampered with and that it came from someone who knows the key. It is used for webhook signatures, API request signing (such as AWS Signature V4), and JWT signing (HS256).

Which HMAC algorithm should I use?

SHA-256 is the most widely used and the right default for most cases — it powers Stripe, GitHub, and Shopify webhooks as well as AWS API signatures. Use SHA-512 when you want a larger 512-bit output, or the SHA3 variants for the newest standard.

What is the secret key in HMAC?

The secret key is a shared value known only to the parties exchanging messages — for webhooks it is the signing secret your provider gives you. The same key must be used to generate and to verify a signature; without it, the HMAC cannot be forged or validated.

How do I verify a webhook signature?

Enter the webhook's signing secret as the Secret Key, paste the raw request body as the Message, and select the algorithm your service uses (usually SHA-256). Then enable Verify HMAC and paste the signature from the webhook header to see a Match or Mismatch badge instantly.

What's the difference between Hex and Base64 output?

Hex shows each byte as two hexadecimal characters (0-9, a-f); it is longer but easy to read and debug. Base64 is about 33% shorter and common in HTTP headers and JWTs. This tool displays both at once, so you can copy whichever format your API expects.

When should I use the Hex or Base64 input type for keys?

Select Hex or Base64 when your secret key is provided as raw bytes in that encoding — for example a hex string from an API dashboard. This tells the tool to decode the value before hashing. Most of the time a plain UTF-8 key means you should keep the String input type.

Why are MD5 and SHA-1 marked as insecure?

MD5 and SHA-1 have known collision weaknesses. The HMAC construction still adds protection, so HMAC-MD5 and HMAC-SHA1 remain safe in some legacy contexts, but it is best practice to choose SHA-256 or higher for any new implementation. That is why both are flagged.

Is my data safe?

Yes. Every HMAC is computed entirely in your browser — no data is sent to any server. Your secret keys and messages stay on your device at all times, and nothing is logged or stored.

Insecure
Secret Key
Message
HMAC Output

Enter a secret key and message to generate HMAC

Hex
Base64
Ready
|
Select an algorithm from the dropdown — SHA-256 is recommended for most use cases
Use the input type selectors (String/Hex/Base64) when your key or message is in binary format
Enable Verify HMAC to compare your output against an expected value — supports both Hex and Base64
MD5 and SHA-1 are marked as Insecure — use SHA-256 or higher for production
Click Sample Data to load a webhook signature example
All computation happens in your browser — your keys and messages are never sent to any server
Want to learn more? Read documentation →
1/7
Start typing to search...
Searching...
No results found
Try searching with different keywords