HMAC Generator
Compute an HMAC of a text message with a text secret key using SHA-1, SHA-256, SHA-384, or SHA-512. The result is shown as lowercase hexadecimal.
How to use this tool
- 1
Pick a hash algorithm from the dropdown: SHA-1, SHA-256, SHA-384, or SHA-512.
- 2
Type or paste your shared secret key into the key field.
- 3
Type or paste the message you want to authenticate into the message box.
- 4
Click Generate to compute the HMAC; the lowercase hex digest appears below.
What is an HMAC and how does this tool compute it?
HMAC (Hash-based Message Authentication Code) proves both the integrity and the authenticity of a message using a secret shared between sender and receiver. Defined in RFC 2104, it wraps an ordinary hash function in two keyed passes — roughly hash(key XOR opad, hash(key XOR ipad, message)) — so that nobody without the key can forge or alter the tag undetected. A plain hash like SHA-256 can be recomputed by anyone, but an HMAC cannot be reproduced without the key. This tool runs the browser's built-in Web Crypto API (crypto.subtle). It encodes your key and message as UTF-8 bytes, signs with the selected algorithm, and prints the result as a lowercase hex string. The digest length follows the hash: HMAC-SHA1 is 40 hex chars (160 bits), SHA-256 is 64, SHA-384 is 96, and SHA-512 is 128. The HMAC primitive shown here underlies real systems — Stripe and GitHub webhook signatures, the per-step keys in AWS Signature V4, and JWT HS256/HS384/HS512 — though those protocols add framing, canonicalization, or Base64url encoding on top of the raw HMAC this tool outputs.
Common use cases
Verify an incoming webhook by recomputing the HMAC of the raw request body with your endpoint's signing secret and comparing it to the provider's signature header.
Check a Stripe webhook locally: HMAC-SHA256 the timestamped payload with your whsec_ secret to confirm your verification logic before deploying.
Debug a mismatched signature by pasting the exact bytes your server and client each signed to see which side is wrong.
Generate a quick integrity tag for a config file or message so a teammate with the same key can confirm it was not altered in transit.
Teach or learn how HMAC differs from a bare hash by toggling algorithms and watching the digest length change.
Sanity-check a single HMAC step of a larger signing scheme (such as one round of the AWS SigV4 key-derivation chain) during development.
Frequently asked questions
Is HMAC the same as a hash?▼
Does this tool send my key or message anywhere?▼
Why does my result not match my server's signature?▼
Can I get the output as Base64 instead of hex?▼
Should I use HMAC-SHA1?▼
Can this produce a full JWT or AWS Signature V4?▼
Is comparing two HMAC strings by eye safe?▼
Related tools
Bcrypt Hash Generator
Generate bcrypt password hashes (client-side).
AES Encryption
Encrypt and decrypt text with AES-256 in your browser.
2FA QR Code Generator
Generate TOTP/2FA QR codes for authenticator apps.
Password Strength Tester
Test password strength against entropy and dictionaries.
Caesar Cipher Encoder
Encode and decode Caesar cipher with custom shifts.
ROT13 Encoder
Encode and decode ROT13 text instantly.