HMAC Generator — Create HMAC Signatures Online
Generate HMAC (Hash-based Message Authentication Code) signatures using SHA-256, SHA-384, or SHA-512. Enter your message and secret key to produce a secure authentication tag for API signing and webhook verification. 100% client-side — nothing is sent to any server.
How to Use the HMAC Generator
- Enter the message — the data you want to authenticate (e.g., a request body or payload).
- Enter a secret key — a shared secret known only to you and the recipient.
- Select an algorithm — SHA-256 (default), SHA-384, or SHA-512.
- Click "Generate HMAC" to produce the HMAC signature in hex format.
- Copy the result and use it to verify message integrity and authenticity.
Why Use This Tool?
HMAC is essential for API authentication, webhook verification, and secure communication. It proves that a message was created by someone who possesses the shared secret and hasn't been tampered with.
Frequently Asked Questions
A regular hash only proves data integrity. HMAC combines the hash with a secret key, proving both integrity and authenticity — meaning you know the message was created by someone who holds the key.
HMAC is used for API request signing (Stripe, AWS, GitHub webhooks), JWT tokens, session cookies, and message authentication in protocols like TLS and IPsec.
No. Your secret key never leaves your browser. All HMAC computation is performed client-side using the Web Crypto API — nothing is sent to any server.
Use Cases
API Request Signing
Sign API requests with HMAC-SHA256 to prove authenticity and prevent replay attacks on sensitive endpoints.
Webhook Verification
Verify that incoming webhooks from services like Stripe or GitHub haven't been forged or tampered with.
JWT Token Signing
Generate HMAC signatures for JSON Web Tokens to ensure token integrity and prevent tampering.
Secure Communication
Authenticate messages between systems using shared secrets to ensure data integrity in transit.