HMAC Generator
Free online HMAC generator. Sign any message with a secret key using HMAC-SHA256, HMAC-SHA512 or HMAC-SHA1 — computed with the Web Crypto API entirely in your browser.
What is an HMAC and how is it different from a plain hash?
A plain hash proves integrity: the data was not changed. An HMAC (Hash-based Message Authentication Code) mixes a secret key into the hash, so it also proves authenticity: only someone holding the key could have produced it. It defends against attackers who could otherwise recompute a plain hash after tampering.
HMAC-SHA256 is the de facto standard for API request signing and webhook verification — AWS, Stripe and GitHub all use it. The signature is computed here with the Web Crypto API; your key and message never leave the browser.
How to use
- 01Enter your secret key in the Secret key field.
- 02Choose the algorithm: HMAC-SHA256, HMAC-SHA512 or HMAC-SHA1.
- 03Paste the message to sign and click Generate HMAC.
- 04Copy the hex signature for use in API authentication or webhooks.
Frequently asked questions
- What is an HMAC and when do I need one?
- An HMAC is a keyed hash that proves both integrity and authenticity — only someone with the secret key can produce a valid signature. It is the standard mechanism for signing API requests and verifying webhooks.
- Is my secret key sent anywhere?
- No. The key and message are processed by the Web Crypto API entirely in your browser and are never transmitted or stored.
- Which HMAC algorithm should I use?
- HMAC-SHA256 is the standard for modern APIs (used by AWS, Stripe and GitHub webhooks). Only use HMAC-SHA1 when integrating with older systems that require it.