HMAC Generator

Generate HMAC signatures using SHA-256, SHA-384, and SHA-512. Output in hex or base64 encoding. Verify HMAC values against expected signatures. All processing happens client-side using the Web Crypto API.

HMAC Output

Enter a message and secret key above to generate HMAC...

Features

🔐

Web Crypto API

Uses the browser's native crypto.subtle API for secure, hardware-accelerated HMAC computation. No third-party libraries required.

Real-Time Generation

HMAC is computed instantly as you type. No need to click a button -- results update in real time with every keystroke.

🔍

Verify Mode

Paste an expected HMAC to instantly verify it against the computed value. Perfect for debugging webhook signatures and API authentication.

💰

Multiple Formats

Output in hexadecimal or base64 encoding. Support for text (UTF-8) or hex-encoded secret keys to match any API requirement.

Understanding HMAC (Hash-based Message Authentication Code)

HMAC is a specific type of message authentication code (MAC) that uses a cryptographic hash function combined with a secret key. Defined in RFC 2104, HMAC provides both data integrity and authentication. Unlike a plain hash, an HMAC proves that the message was created or approved by someone who possesses the secret key.

How HMAC Works

The HMAC algorithm processes the key through two rounds of hashing with inner and outer padding (ipad and opad). The formula is: HMAC(K, m) = H((K' XOR opad) || H((K' XOR ipad) || m)). This construction makes HMAC resistant to length extension attacks that affect naive key+message hashing approaches.

Common Use Cases

HMAC vs Plain Hash

A plain hash (like SHA-256) only verifies data integrity -- the data has not changed. An HMAC also verifies authenticity -- the data was signed by someone with the secret key. Additionally, HMAC is resistant to length extension attacks, which affect plain hashes of algorithms like SHA-256 when used as hash(secret + message).

Frequently Asked Questions

What is HMAC and how does it work?
HMAC (Hash-based Message Authentication Code) combines a cryptographic hash function with a secret key using a specific two-pass construction defined in RFC 2104. It provides both data integrity (the message has not been altered) and authentication (the sender possesses the secret key). The Web Crypto API in your browser provides a secure, hardware-accelerated implementation.
Which HMAC algorithm should I use?
HMAC-SHA256 is the most widely used and recommended for most applications. It provides strong security and is the standard for services like AWS, GitHub, and Stripe webhooks. Use HMAC-SHA512 when you need a larger output or are working on 64-bit systems. HMAC-SHA384 provides an intermediate option.
Is HMAC the same as hashing with a key appended?
No. Simply concatenating a key with the message and hashing (e.g., SHA256(key + message)) is vulnerable to length extension attacks. HMAC uses a specific construction from RFC 2104 that processes the key through inner and outer padding rounds, making it provably secure against such attacks.
What is the difference between hex and base64 output?
Both represent the same HMAC value in different text encodings. Hex uses characters 0-9 and a-f, producing a longer string (e.g., 64 characters for SHA-256). Base64 uses a 64-character alphabet (A-Z, a-z, 0-9, +, /), producing a shorter string (e.g., 44 characters for SHA-256). Choose whichever format your API expects.
Is my secret key safe with this tool?
Yes. All HMAC computation happens entirely in your browser using the Web Crypto API (crypto.subtle). Your secret key and message are never sent to any server. The tool works completely offline once the page is loaded. You can verify this by checking the Network tab in your browser's developer tools.

Explore More Developer Tools

Generate hashes, decode tokens, and verify data integrity with our free developer tools. No sign-up required.

Hash Generator → JWT Decoder → Base64 Tool →