HMAC Generator

Developer

Generate HMAC (Hash-based Message Authentication Code) signatures using the Web Crypto API. Supports SHA-1, SHA-256, SHA-384, and SHA-512.

About HMAC

HMAC combines a cryptographic hash function with a secret key for data integrity and authentication.

  • API Request Signing - AWS Signature V4, Stripe webhooks
  • Webhook Verification - GitHub, Shopify, Slack webhook validation
  • JWT Signing - HS256/HS384/HS512 algorithms
  • Message Integrity - Tamper-proof data transmission

Security Note

All HMAC computation is performed entirely in your browser using the Web Crypto API. Your secret key and data never leave your device.

What is This Tool?

An HMAC generator computes Hash-based Message Authentication Codes using SHA-256, SHA-384, SHA-512, and other algorithms. HMAC combines a secret key with a message hash to provide both data integrity and authentication — proving the message was sent by someone who knows the secret key.

HMAC is defined in RFC 2104: HMAC(key, message) = H((key ⊕ opad) || H((key ⊕ ipad) || message)). Unlike simple hashing, HMAC requires knowledge of the secret key, making it impossible for an attacker to forge valid HMACs without the key. It is resistant to length-extension attacks that affect raw hash functions.

Common Use Cases

Webhook Verification

Compute HMAC-SHA256 signatures to verify Stripe, GitHub, Shopify, and other webhook payloads using the shared secret.

API Authentication

Generate HMAC signatures for API request signing schemes like AWS Signature V4 and other HMAC-based auth protocols.

JWT Signing

Compute HS256/HS384/HS512 signatures for JWT tokens using the HMAC-SHA family of algorithms.

Message Integrity

Create message authentication codes for verifying data integrity in file transfers, database records, and inter-service communication.

Frequently Asked Questions

How is HMAC different from a regular hash?

HMAC uses a secret key, so only parties with the key can create or verify the MAC. A regular hash can be computed by anyone with the message.

Which HMAC algorithm should I use?

HMAC-SHA256 is the most common and recommended. HMAC-SHA512 for extra security. HMAC-MD5 and HMAC-SHA1 are deprecated for new applications.

Is HMAC the same as signing?

HMAC is symmetric signing (same key for create and verify). Digital signatures (RSA, ECDSA) are asymmetric (private key signs, public key verifies). HMAC is faster; asymmetric is better when parties should not share secrets.