Online HMAC Generator
Generate HMAC-SHA256, HMAC-SHA512 signatures with your secret key
HMAC Generator
0 characters
💡 Press Ctrl + Enter to compute immediately
How to Use HMAC
- 1 Enter your message text in the Message field
- 2 Enter your secret key in the Secret Key field
- 3 Select key format if your key is hex or Base64 encoded
- 4 Choose the HMAC algorithm (SHA-256 recommended)
- 5 Click Generate or press Ctrl+Enter
- 6 Copy the HMAC signature in your preferred format
What You Get
HMAC generator supporting SHA-1, SHA-256, SHA-384, SHA-512. Key strength indicator, multiple output formats, and signature verification.
Input: Message: "Hello World", Key: "secret123"
Output: HMAC-SHA256: d2b2c4e8b7a3f1e0...
Input: Webhook body + API secret
Output: Signature to compare with X-Hub-Signature header
Input: AWS request + access key
Output: Signature for AWS API authentication
How do I generate an HMAC-SHA256 signature online?
Enter your message and secret key, select SHA-256 algorithm, and click Generate. The HMAC signature is computed instantly in your browser. Copy the hex or Base64 result for your API request.
What is the difference between HMAC and regular hashing?
Regular hashes like SHA-256 only need a message. HMAC also requires a secret key. This means only parties with the key can create or verify the signature, providing authentication that the message came from the expected sender.
Which HMAC algorithm should I use?
HMAC-SHA256 is the most common and recommended for new projects. AWS, Stripe, GitHub webhooks, and most APIs use it. HMAC-SHA512 offers higher security for very sensitive data. Avoid HMAC-SHA1 for new implementations.
How do I verify an HMAC signature?
Compute the HMAC using the same message, key, and algorithm, then compare with the signature you received. Use the Verify field to paste the expected HMAC and instantly see if it matches your computed signature.
Is my secret key safe when using an online HMAC generator?
Only if it's client-side like this one. This tool computes HMACs using the WebCrypto API directly in your browser. Your secret key never leaves your device or is transmitted to any server.
What format should my secret key be in?
Most APIs provide keys as plain text strings. Some provide hex-encoded or Base64-encoded keys. Select the appropriate Key Format option (Text, Hex, or Base64) to decode the key correctly before HMAC computation.
How do I use HMAC for webhook verification?
When a service sends a webhook, it includes an HMAC signature in a header (like X-Hub-Signature). Compute the HMAC of the webhook body using your secret key and compare to the signature. If they match, the webhook is authentic and untampered.
Why does my HMAC not match the expected signature?
Common causes: wrong algorithm (SHA-256 vs SHA-512), key encoding mismatch (text vs hex vs Base64), extra whitespace in message, different line endings (\n vs \r\n), or case differences. Ensure exact message content and correct key format.
Can I use HMAC for password storage?
No, use bcrypt, scrypt, or Argon2 for password hashing. HMAC is designed for message authentication, not password storage. HMAC is fast, while password hashing algorithms are deliberately slow to resist brute-force attacks.
All processing happens in your browser. Your secret key never leaves your device.