WebToolX

Command Palette

Search for a command to run...

Security & Crypto

HMAC Generator

Generate HMAC signatures online using SHA-1, SHA-256, or SHA-512. Enter your message and secret key — the hex digest is computed instantly in your browser.

Enter a message above to generate an HMAC signature.

What is HMAC?

HMAC (Hash-based Message Authentication Code) is a construction defined in RFC 2104 that combines any cryptographic hash function with a secret key. Unlike a plain hash, an HMAC cannot be forged without knowing the key, making it the standard primitive for message authentication across the internet.

How to use this tool

  1. Type or paste your message into the textarea — this is the data you want to authenticate.
  2. Enter your secret key in the key field. Keep this private; anyone with the key can forge signatures.
  3. Choose an algorithm: SHA-256 is the safe default; SHA-512 for higher-security requirements; SHA-1 for legacy compatibility only.
  4. The hex digest updates automatically. Click Copy to put it on your clipboard.

Common use cases

  • API request signing — AWS, Stripe, GitHub webhooks, and most REST APIs use HMAC-SHA256 to verify that requests originated from an authorised caller.
  • JWT verification — the HS256/HS384/HS512 algorithms in JSON Web Tokens are HMAC under the hood.
  • Webhook validation — services send an HMAC of the payload in a header; your server recomputes it to reject tampered events.
  • Cookie and session integrity — signed cookies embed an HMAC so the server can detect client-side tampering.

Security note

All computation runs in your browser via the crypto.subtle Web Crypto API. Nothing is ever sent to a server. For production use, always generate HMAC signatures server-side where your secret key cannot be exposed to end users.

Frequently Asked Questions

What is an HMAC and why is it used?

HMAC (Hash-based Message Authentication Code) combines a cryptographic hash function with a secret key to produce a fixed-size tag that proves both the integrity of a message and that it was created by someone who holds the shared key. It is widely used for API request signing, JWT verification, webhook payload validation, and secure cookie authentication.

Which algorithm should I choose — SHA-1, SHA-256, or SHA-512?

For new projects always prefer SHA-256 or SHA-512. SHA-256 is the most common choice and is used by AWS Signature v4, GitHub webhooks, Stripe, and most modern APIs. SHA-512 offers a larger output (512 bits vs 256 bits) and is preferred in high-security contexts. SHA-1 is provided for compatibility with legacy systems only — it is no longer recommended for new integrations.

Is my secret key safe to enter here?

Yes. All computation happens entirely in your browser using the Web Crypto API. Your message and secret key are never transmitted to any server, stored in a database, or logged anywhere. The tool works offline once the page has loaded.