RevealTheme logo

HMAC Generator

Compute an HMAC of a text message with a text secret key using SHA-1, SHA-256, SHA-384, or SHA-512. The result is shown as lowercase hexadecimal.

How to use this tool

  1. 1

    Pick a hash algorithm from the dropdown: SHA-1, SHA-256, SHA-384, or SHA-512.

  2. 2

    Type or paste your shared secret key into the key field.

  3. 3

    Type or paste the message you want to authenticate into the message box.

  4. 4

    Click Generate to compute the HMAC; the lowercase hex digest appears below.

What is an HMAC and how does this tool compute it?

HMAC (Hash-based Message Authentication Code) proves both the integrity and the authenticity of a message using a secret shared between sender and receiver. Defined in RFC 2104, it wraps an ordinary hash function in two keyed passes — roughly hash(key XOR opad, hash(key XOR ipad, message)) — so that nobody without the key can forge or alter the tag undetected. A plain hash like SHA-256 can be recomputed by anyone, but an HMAC cannot be reproduced without the key. This tool runs the browser's built-in Web Crypto API (crypto.subtle). It encodes your key and message as UTF-8 bytes, signs with the selected algorithm, and prints the result as a lowercase hex string. The digest length follows the hash: HMAC-SHA1 is 40 hex chars (160 bits), SHA-256 is 64, SHA-384 is 96, and SHA-512 is 128. The HMAC primitive shown here underlies real systems — Stripe and GitHub webhook signatures, the per-step keys in AWS Signature V4, and JWT HS256/HS384/HS512 — though those protocols add framing, canonicalization, or Base64url encoding on top of the raw HMAC this tool outputs.

Common use cases

  • Verify an incoming webhook by recomputing the HMAC of the raw request body with your endpoint's signing secret and comparing it to the provider's signature header.

  • Check a Stripe webhook locally: HMAC-SHA256 the timestamped payload with your whsec_ secret to confirm your verification logic before deploying.

  • Debug a mismatched signature by pasting the exact bytes your server and client each signed to see which side is wrong.

  • Generate a quick integrity tag for a config file or message so a teammate with the same key can confirm it was not altered in transit.

  • Teach or learn how HMAC differs from a bare hash by toggling algorithms and watching the digest length change.

  • Sanity-check a single HMAC step of a larger signing scheme (such as one round of the AWS SigV4 key-derivation chain) during development.

Frequently asked questions

Is HMAC the same as a hash?
No. Anyone can compute a plain hash such as SHA-256 over your data. HMAC mixes in a secret key, so without that key you cannot reproduce, verify, or forge the tag. That secret is what turns a checksum into an authentication code.
Does this tool send my key or message anywhere?
No. It uses the browser's Web Crypto API and runs entirely on your device. Your key and message are never uploaded to a server. You can confirm this by disconnecting from the network and watching it still work.
Why does my result not match my server's signature?
The most common cause is encoding. This tool treats the key as raw UTF-8 text. If your real secret is stored as hex or Base64 and your server decodes it to bytes before signing, you must decode it the same way first — there is no hex or Base64 key-decode option here, so it would hash the literal characters instead.
Can I get the output as Base64 instead of hex?
Not directly. The output is always lowercase hexadecimal, and there is no copy button. Many webhook providers expect Base64 signatures, so you may need to convert the hex to Base64 yourself before comparing.
Should I use HMAC-SHA1?
Only for compatibility with existing systems such as older webhooks, OAuth 1.0, or TOTP. HMAC-SHA1 is still considered safe as a MAC, but for any new design choose SHA-256 or stronger.
Can this produce a full JWT or AWS Signature V4?
No. It computes a single HMAC. JWTs use Base64url encoding and a specific header.payload structure, and SigV4 chains several HMAC steps with canonicalized request data. This tool only gives you the underlying HMAC primitive those protocols build on.
Is comparing two HMAC strings by eye safe?
For casual checking, yes. In production code you should compare signatures with a constant-time function to avoid timing attacks; a plain string equality check can leak information about how many characters matched.

Related tools