HMAC Generator
Generate HMAC signatures using SHA-256, SHA-384, and SHA-512 instantly online. Free HMAC generator using the Web Crypto API — your message and secret never leave the browser.
Message
Secret Key
Related Tools
Unix Timestamp
Convert Unix timestamps to UTC, local time, and ISO 8601 instantly. Auto-detects seconds vs milliseconds.
Base Converter
Convert numbers between decimal, hex, binary, and octal instantly. Free and runs in your browser.
Hash Generator
Generate SHA-1, SHA-256, SHA-384, and SHA-512 hashes instantly. Runs entirely in your browser using the Web Crypto API.
HMAC (Hash-based Message Authentication Code) combines a cryptographic hash function with a secret key to produce a fixed-length authentication tag. Unlike a plain hash, HMAC proves both data integrity and authenticity — only parties who hold the secret key can generate a valid tag for a given message, making it impossible to forge without the key.
HMAC is used to sign webhook payloads (GitHub, Stripe, Twilio), authenticate API requests (AWS Signature v4, HMAC-based OAuth), validate JWT tokens with the HS256/384/512 algorithms, and generate time-based one-time passwords (TOTP/HOTP) in two-factor authentication systems. It is defined in RFC 2104 and considered cryptographically secure when used with SHA-256 or stronger.
This tool runs HMAC-SHA256, SHA-384, and SHA-512 using the browser's native Web Crypto API (crypto.subtle.sign), which is a FIPS 140-2 validated implementation. The message and secret key inputs are encoded to UTF-8 bytes via TextEncoder. No data leaves the browser.
Common Use Cases
Verifying GitHub webhook signatures
GitHub signs every webhook payload with HMAC-SHA256 using your configured secret and sends the result in the X-Hub-Signature-256 header. Pasting the raw POST body and your secret here lets you reproduce the expected signature and compare it against the header value to confirm the payload is genuine.
Debugging Stripe webhook validation
Stripe's webhook verification combines a timestamp and payload into a signed string before applying HMAC-SHA256. When a webhook handler rejects events in staging, generating the HMAC manually with the Stripe signing secret helps isolate whether the issue is in string construction, encoding, or key configuration.
Testing AWS Signature Version 4 requests
AWS SigV4 requires HMAC-SHA256 applied in a four-stage key derivation chain: date, region, service, and request. Reproducing individual HMAC steps in this tool helps debug signing errors in SDK-free HTTP clients or Lambda functions calling AWS APIs without the official SDK.
Generating TOTP shared-secret test vectors
TOTP (RFC 6238) builds on HMAC-SHA1/256/512 applied to a counter derived from the current time. Developers implementing TOTP from scratch use known test vectors — fixed message and key pairs with expected HMAC outputs — to validate their implementation against RFC 4226 reference values before connecting to an authenticator app.
How to Use the HMAC Generator
- Enter the message you want to sign in the Message field.
- Enter your secret key in the Secret Key field.
- HMAC-SHA-256, SHA-384, and SHA-512 signatures are generated instantly.
- Click Copy next to any row to copy the hex-encoded HMAC.
- Use Example to load a sample message and secret key.
About HMAC
- HMAC-SHA-256 — 256-bit signature; the most widely used variant for API authentication and webhook verification
- HMAC-SHA-384 — 384-bit signature; stronger variant for higher security requirements
- HMAC-SHA-512 — 512-bit signature; maximum strength in the SHA-2 family
HMAC signatures are computed using the browser's built-in Web Crypto API. Your message and secret key never leave your device.