HMAC Generator
Generate and verify HMAC signatures using HMAC-SHA256, SHA-512, SHA-384, or SHA-1. Uses the native Web Crypto API โ nothing leaves your browser.
๐ Web Crypto API
Uses the browser's native SubtleCrypto API for cryptographically correct HMAC computation. No external libraries.
๐ 100% Private
Your message and secret key never leave your browser. No server requests, no logging, no storage.
โ Verify Mode
Paste an existing HMAC to verify it matches the computed value โ useful for debugging webhook signatures.
Frequently Asked Questions
What is HMAC?
HMAC (Hash-based Message Authentication Code) combines a secret key with a hash function (like SHA-256) to produce a fixed-length signature. Unlike a plain hash, HMAC requires knowing the secret key to verify the signature โ which is what makes it useful for authentication.
What is HMAC used for in practice?
HMAC is the backbone of many security systems: Stripe, GitHub, and Shopify use HMAC-SHA256 to sign webhook payloads so you can verify the request came from them. AWS uses HMAC for its Signature V4 request signing. JWTs signed with HS256 use HMAC-SHA256. API keys are often HMAC-based.
HMAC-SHA256 vs HMAC-SHA512 โ which should I use?
HMAC-SHA256 (32-byte output) is the standard choice and is universally supported. HMAC-SHA512 produces a 64-byte output and is marginally stronger, but SHA-256 is considered secure for all practical purposes. Use HMAC-SHA256 unless your specific protocol requires something else.
How is HMAC different from a plain hash?
A plain hash (like SHA-256) of a message always produces the same output โ anyone who knows the algorithm can compute it. HMAC requires a secret key, so only parties who know the key can generate or verify the signature. This makes HMAC suitable for authentication, where a plain hash would not be.