CyberCodeLab logo — neon green lab flask with terminal symbolCyberCodeLab

HMAC Generator

Free online HMAC generator. Sign any message with a secret key using HMAC-SHA256, HMAC-SHA512 or HMAC-SHA1 — computed with the Web Crypto API entirely in your browser.

hmac-generator.run

What is an HMAC and how is it different from a plain hash?

A plain hash proves integrity: the data was not changed. An HMAC (Hash-based Message Authentication Code) mixes a secret key into the hash, so it also proves authenticity: only someone holding the key could have produced it. It defends against attackers who could otherwise recompute a plain hash after tampering.

HMAC-SHA256 is the de facto standard for API request signing and webhook verification — AWS, Stripe and GitHub all use it. The signature is computed here with the Web Crypto API; your key and message never leave the browser.

How to use

  1. 01Enter your secret key in the Secret key field.
  2. 02Choose the algorithm: HMAC-SHA256, HMAC-SHA512 or HMAC-SHA1.
  3. 03Paste the message to sign and click Generate HMAC.
  4. 04Copy the hex signature for use in API authentication or webhooks.

Frequently asked questions

What is an HMAC and when do I need one?
An HMAC is a keyed hash that proves both integrity and authenticity — only someone with the secret key can produce a valid signature. It is the standard mechanism for signing API requests and verifying webhooks.
Is my secret key sent anywhere?
No. The key and message are processed by the Web Crypto API entirely in your browser and are never transmitted or stored.
Which HMAC algorithm should I use?
HMAC-SHA256 is the standard for modern APIs (used by AWS, Stripe and GitHub webhooks). Only use HMAC-SHA1 when integrating with older systems that require it.

Related tools