A keyed hash that verifies both the integrity and authenticity of a message using a shared secret key.

Which algorithms are supported?

HMAC with SHA-1, SHA-256, SHA-384, and SHA-512.

Is my secret key uploaded?

No. The HMAC is computed locally with the browser Web Crypto API; nothing is sent to a server.

What output format is used?

The signature is shown in lowercase hexadecimal.

HMAC Generator

Enter a message and secret key, pick a hash algorithm, and get the HMAC in hex — computed in your browser with the Web Crypto API.

Files never leave your browser

Message

Secret Key

Algorithm

Your message and secret key never leave your browser — the HMAC is computed locally with the Web Crypto API.

How to use HMAC Generator

The HMAC Generator creates Hash-based Message Authentication Codes using SHA-1, SHA-256, SHA-384, or SHA-512 algorithms. HMACs combine a secret key with a message to produce a signature that verifies both integrity and authenticity — widely used in API authentication, webhook validation, and JWT signing. The computation runs entirely in your browser using the native Web Crypto API.

Enter the message you want to authenticate in the Message field.
Enter your secret key — this is the shared secret known to both sender and receiver.
Select the hash algorithm: SHA-256 is the most common choice for modern APIs.
Click Generate and copy the hex HMAC signature.
Compare the generated HMAC against the expected signature to verify integrity.

Your data never leaves your device — 100% private processing.

How HMAC authentication works

HMAC (Hash-based Message Authentication Code) applies a cryptographic hash function to a combination of the message and a secret key. Unlike a plain hash, an HMAC cannot be forged without knowing the secret key — making it ideal for verifying API requests, validating webhook payloads, and signing tokens. The most common variant, HMAC-SHA256, is used by AWS Signature V4, Stripe webhooks, and many OAuth implementations. The output is a fixed-length hex string that changes completely if either the message or the key changes by even one byte.

HMAC algorithm output sizes
Algorithm	Output bits	Output hex length	Common use
HMAC-SHA-1	160 bits	40 chars	Legacy — avoid for new systems
HMAC-SHA-256	256 bits	64 chars	API auth, JWT, Stripe webhooks
HMAC-SHA-384	384 bits	96 chars	Higher security requirements
HMAC-SHA-512	512 bits	128 chars	Maximum security, larger payload

HMAC vs plain hashing vs digital signatures

A plain cryptographic hash (SHA-256) is deterministic and public — anyone can compute the same hash from the same input, so it provides integrity but not authenticity. HMAC adds a secret key: only parties that know the key can produce or verify the code. Digital signatures (RSA, ECDSA) use asymmetric key pairs and can be publicly verified without sharing the private key, making them better for public-key infrastructure. HMAC is symmetric — it requires both parties to share the same secret — which makes key distribution simpler for internal microservice communication but unsuitable for scenarios where you need a third party to verify authenticity without sharing secrets.

Glossary

HMAC: Hash-based Message Authentication Code — a MAC computed using a cryptographic hash function and a secret key.
MAC: Message Authentication Code — a short piece of information used to authenticate a message and verify its integrity.
Secret key: The shared symmetric key used in HMAC computation; both signing and verification parties must possess the same key.
Web Crypto API: A browser-native cryptographic API (window.crypto.subtle) providing hashing, encryption, key derivation, and signing without external libraries.
Hex encoding: Representing binary data as lowercase hexadecimal characters; each byte becomes two hex digits (00–ff).

Frequently Asked Questions

Free · No spam

Get weekly tool tips & updates

New tools, power-user tips, and productivity hacks — delivered free every Friday.

No spam, ever. Unsubscribe with one click.

Why use HMAC Generator?

No installation — use directly from any browser
Handles large inputs without crashing or timeouts
Syntax highlighting and formatted output for readability
Copy to clipboard shortcut for fast workflow integration

Common use cases

Validate and format JSON responses from APIs
Encode/decode Base64 strings during debugging
Generate UUIDs for database seeds or test data
Minify CSS or JavaScript before deployment
Diff two code snippets to spot regressions

Related Developer Tools

Hash Generator

Generate cryptographic hashes online. Support for SHA-1, SHA-256, SHA-384, and SHA-512. Instant, secure, client-side.

JWT Decoder

Decode and inspect JSON Web Tokens (JWT) online. View header, payload, and expiry. 100% client-side — your token never leaves your browser.

AES Encrypt / Decrypt

Encrypt and decrypt text with AES-256-GCM and a password. Strong, standards-based encryption in your browser. Free and private.

JSON Formatter & Validator

Format, validate, and minify JSON instantly. Includes syntax highlighting, error detection, and a collapsible tree view — free, private, in-browser.

Regex Tester

Test and debug regular expressions online. See live matches, capture groups, and replace output. Free, private, instant.

Base64 Encoder & Decoder

Encode text or files to Base64, or decode Base64 strings back to text. Fast, free, and runs entirely in your browser.

Explore all Developer Tools.