Hmac Generator

Free online tool. All processing is client-side. No signup needed.

How to Use the Hmac Generator

1. Enter your input values above
2. Results update automatically
3. Copy or download the output

What is a Hmac Generator?

An HMAC (Hash-based Message Authentication Code) Generator creates cryptographic authentication codes from a message and a secret key. HMAC verifies both the INTEGRITY of data (it hasn't been altered) and the AUTHENTICITY (it came from someone who knows the secret key). HMAC is used throughout web security: JWT signatures, API request signing (AWS Signature v4, Stripe webhooks, GitHub webhooks), OAuth 1.0, and cookie signing. Unlike a plain hash (which anyone can compute), HMAC requires the secret key — without it, you can't forge a valid authentication code.

How Does It Work?

Enter your message/payload and secret key, select the hash algorithm (SHA-256 is the modern standard; MD5 and SHA-1 are supported but only for legacy systems). The generator computes: HMAC = H((Key ⊕ opad) || H((Key ⊕ ipad) || Message)). The result is a hex or Base64 string. All processing is client-side — your secret key stays in your browser and is never sent to any server.

Formula

HMAC-SHA-256 = H(K⊕opad || H(K⊕ipad || message))\n\nWhere:\nH = hash function (SHA-256, SHA-384, SHA-512)\nK = secret key (padded to block size: 64 bytes for SHA-256)\nipad = 0x36 repeated (inner padding)\nopad = 0x5C repeated (outer padding)\n⊕ = XOR operation\n|| = concatenation\n\nCommon Use Cases:\n• JWT signing: HMAC-SHA256(header.payload, secret)\n• API signing: HMAC-SHA256(requestBody + timestamp, apiSecret)\n• Webhook verification: HMAC-SHA256(payload, webhookSecret)\n• Session cookie signing: HMAC-SHA256(sessionData, cookieSecret)\n\nKey Size: use at least 256-bit (32-byte) secret key for HMAC-SHA-256\nOutput: 256 bits = 32 bytes = 64 hex characters

Who Uses This Tool?

• API developers implementing webhook verification (GitHub, Stripe, Slack style)
• Backend developers signing JWTs with HMAC-SHA256 for authentication
• Security engineers verifying message integrity in communication protocols
• DevOps engineers signing configuration files and deployment artifacts
• Anyone implementing HMAC-based API authentication or request signing

Pro Tips

• Use HMAC-SHA256 as the minimum. HMAC-MD5 and HMAC-SHA1 are vulnerable to collision attacks and should only be used for legacy system compatibility
• Store secrets securely: use environment variables, secrets managers (AWS Secrets Manager, HashiCorp Vault), or .env files excluded from git. Never hardcode secrets
• HMAC is NOT encryption — the message content is visible. HMAC only proves the message hasn't been tampered with and came from the key holder
• For API signing, always include a timestamp or nonce in the signed message to prevent replay attacks. Sign (message + timestamp + nonce) together

Frequently Asked Questions about Hmac Generator

What's the difference between HMAC and a regular hash?

A regular hash (SHA-256) only verifies data integrity — anyone can compute the same hash. HMAC adds a secret key, so only parties who know the key can generate or verify the correct code. This proves authenticity in addition to integrity.

How long should an HMAC key be?

At least the hash output length: 256 bits (32 bytes) for SHA-256, 512 bits for SHA-512. Shorter keys are padded and may weaken security. Longer keys are hashed down and provide no additional benefit. Generate keys using a CSPRNG (cryptographically secure random generator).

Free online Hmac Generator — no signup, 100% client-side processing. All data stays in your browser.