HMAC Generator

Generate HMAC values from text and a secret key. Supports SHA-1, SHA-256, SHA-384, and SHA-512.

Input data is processed in your browser
Data is never sent to a server

Tool

0 chars

or drag & drop a file

0 chars

What is HMAC?

HMAC (Hash-based Message Authentication Code) is a message authentication mechanism that combines a secret key with a cryptographic hash function. It simultaneously ensures data integrity and authenticates the sender, making it ideal for API request signing, webhook payload verification, and security token generation.

Common Use Cases

  • API request signing: Used in protocols like AWS Signature Version 4
  • Webhook verification: Validate payloads from services like GitHub or Stripe
  • Session tokens: Sign user authentication tokens
  • Data integrity: Confirm that data has not been tampered with in transit

How to Use

  1. Enter the text you want to generate an HMAC for into the input field.
  2. Enter your secret key.
  3. Select the algorithm (e.g. HMAC-SHA256) and output format (Hex or Base64).
  4. Click the "Generate" button to compute the HMAC value.
  5. Use the "Copy" button to copy the result to the clipboard.

FAQ

What is HMAC?

HMAC (Hash-based Message Authentication Code) is a type of message authentication code that combines a secret key with a hash function. It provides both data integrity verification and sender authentication, and is widely used in API request signing, webhook validation, and security token generation.

Should I use SHA-256 or SHA-512?

HMAC-SHA256 or higher is recommended for most use cases. HMAC-SHA256 is the most widely adopted standard and offers sufficient security for practical purposes. HMAC-SHA512 is stronger but produces a longer output. Unless you have specific requirements, HMAC-SHA256 is the standard choice.

How should I choose a secret key?

Use a sufficiently long, random string that is difficult to guess. Short keys or dictionary words are not secure. For high-security requirements, use a cryptographically secure random number generator to produce a key of at least 32 bytes.

Is any data sent to the server?

No. All processing is performed locally in your browser using the Web Crypto API. Neither your input text nor your secret key is ever transmitted to the server.

Why does the HMAC value always come out the same?

HMAC is a deterministic algorithm. The same input text combined with the same secret key will always produce the same HMAC value. This allows the sender and receiver to independently compute the value and compare it to verify the authenticity of the message.