TL
Tool Lab
πŸ’°Donate
πŸ’°Donate

HMAC Generator

Compute HMAC-SHA256, SHA-384, SHA-512, or SHA-1 message authentication codes online.

Algorithm
Output Format
Secret Key
Message

About This Tool

The HMAC Generator computes Hash-based Message Authentication Codes using the browser'scrypto.subtle Web Crypto API. An HMAC combines a message with a secret key using a hash function (SHA-256, SHA-384, SHA-512, or SHA-1) to produce a fixed-length authentication tag. Anyone who knows the secret key can verify the HMAC to confirm that the message has not been tampered with.

Output is available in hex, standard Base64, or URL-safe Base64 (which replaces+ and / with - and _). All computation is local β€” your message and key are never sent to a server.

How to Use

  1. Select the algorithm (HMAC-SHA-256 is the most widely used).
  2. Choose the output format (hex for most purposes; URL-safe Base64 for HTTP headers).
  3. Enter your Secret Key and Message, or click Sample.
  4. Click Compute HMAC and copy the digest.

Use Cases

Developers verify webhook signatures from GitHub, Stripe, or Shopify by computing the HMAC of the payload with the shared secret and comparing it to the signature in the HTTP header. API architects sign API request parameters to prevent tampering. Back-end engineers generate CSRF tokens as HMAC of session identifiers. Security engineers audit HMAC implementations by verifying expected digests against known inputs.

FAQ

  • Which algorithm should I use? β€” HMAC-SHA-256 is the standard choice for new systems. HMAC-SHA-1 is still used by legacy systems (Git, older webhooks) but SHA-1 is considered weak for collision resistance (though HMAC-SHA-1 is still secure).
  • Is my key secure? β€” All computation runs in the browser with the native Web Crypto API. Your key is never transmitted. However, avoid typing production secrets into web tools as a best practice.
  • What is the difference between HMAC and a hash? β€” A plain hash (SHA-256) takes only the message. HMAC requires a secret key, making it unforgeable without the key. An attacker who sees the HMAC output cannot reproduce it without the key.
  • Why does the hex output length vary by algorithm? β€” HMAC-SHA-256 produces 32 bytes (64 hex chars). HMAC-SHA-384 produces 48 bytes (96 hex chars). HMAC-SHA-512 produces 64 bytes (128 hex chars). The length matches the underlying hash's output size.