HMAC Generator
HMAC (Hash-based Message Authentication Code) signs a message with a secret key using a hash function. Formula: HMAC(K, m) = H((K ⊕ opad) || H((K ⊕ ipad) || m)). HMAC-SHA256 produces 32 bytes (64 hex chars). Used for webhook verification (Stripe, GitHub), JWT signing (HS256), and API authentication (AWS Signature v4). The secret key should be at least 32 random bytes.
Generate HMAC signatures using SHA-256, SHA-384, SHA-512, or SHA-1. Enter a message and secret key — get hex and Base64 output instantly. All computation happens in your browser. Free, no signup.
Inputs
How to Use
- 1
Enter your message
Type or paste the message content you want to sign into the Message field
- 2
Enter your secret key
Type the shared secret key used to generate the HMAC signature
- 3
Select the algorithm
Choose SHA-256 (most common), SHA-384, SHA-512, or SHA-1 depending on your API requirements
- 4
View hex and Base64 output
The HMAC signature appears automatically in both hex and Base64 formats
- 5
Copy the signature
Click the copy button next to hex or Base64 to copy the format your API expects
Frequently Asked Questions
- What is HMAC and how does it work?
- HMAC (Hash-based Message Authentication Code) combines a message with a secret key using a cryptographic hash function to produce a fixed-length signature. It proves two things simultaneously: the message came from someone who knows the secret key (authentication) and the message was not modified in transit (integrity). Formula: HMAC(K, m) = H((K ⊕ opad) || H((K ⊕ ipad) || m)).
- What is the difference between HMAC-SHA256, HMAC-SHA384, and HMAC-SHA512?
- All three use the HMAC construction with different SHA-2 hash lengths. SHA-256 produces 32 bytes (64 hex chars) — the most common, used in AWS signatures, JWTs, and webhooks. SHA-384 produces 48 bytes (96 hex chars) — a middle ground with stronger security. SHA-512 produces 64 bytes (128 hex chars) — maximum security, used in high-assurance environments. The tradeoff is output size vs security margin; SHA-256 is secure for all common use cases.
- What are common uses of HMAC?
- HMAC is widely used for: (1) Webhook verification — Stripe, GitHub, Shopify send an HMAC-SHA256 signature with webhooks so you can verify requests are authentic. (2) JWT signing — the HMAC-SHA256 (HS256) algorithm signs JSON Web Tokens. (3) API authentication — AWS uses HMAC-SHA256 for Signature Version 4. (4) CSRF tokens — some frameworks use HMAC to create tamper-proof session tokens. (5) File integrity verification.
- Is this HMAC generator secure to use?
- Yes. All computation runs entirely in your browser using the Web Cryptography API (SubtleCrypto) — your message and secret key are never sent to any server. The SubtleCrypto API is implemented in native code (not JavaScript), making it resistant to timing attacks. However, avoid using simple or guessable secret keys; a strong HMAC secret should be at least 256 bits (32 random bytes).
- What is the difference between HMAC-SHA256 in hex vs Base64?
- Both represent the same binary signature in different encodings. Hex uses characters 0-9 and a-f, making it 64 characters for SHA-256 — easy to read and compare. Base64 uses characters A-Z, a-z, 0-9, +, /, making it 44 characters — more compact, commonly used in HTTP headers and JSON. Choose hex for command-line comparison; choose Base64 for HTTP Authorization headers and JWTs.
- Does HMAC support MD5?
- HMAC-MD5 exists and produces valid MACs, but MD5 is cryptographically broken and should not be used for new systems. The browser SubtleCrypto API intentionally does not expose HMAC-MD5. If you need HMAC-MD5 for legacy API compatibility (some older REST APIs use it), use a Node.js script: const crypto = require("crypto"); crypto.createHmac("md5", key).update(message).digest("hex").