HMAC Generator

Generate HMAC-SHA-256, SHA-384, or SHA-512 message authentication codes with a secret key.

Key and message are UTF-8 encoded

Output

Enter a message and secret key to generate HMAC

About HMAC generation

HMAC (Hash-based Message Authentication Code) is the standard way to verify that a message has not been tampered with and comes from a party that knows the shared secret key. It is the foundation of API authentication schemes such as AWS Signature Version 4, Stripe webhook validation, and GitHub webhook secrets.

This tool lets you compute HMAC codes for HMAC-SHA-256, HMAC-SHA-384, and HMAC-SHA-512 directly in your browser using the Web Crypto API. Results are shown in both hex and Base64 format and update live as you type: no page reloads required.

Step-by-step guide

  1. 1
    Select an algorithm
    Choose HMAC-SHA-256, HMAC-SHA-384, or HMAC-SHA-512. SHA-256 is the most widely used; SHA-512 provides a larger output for higher-security applications.
  2. 2
    Enter your message
    Type or paste the message you want to authenticate into the Message textarea. Any UTF-8 text is accepted.
  3. 3
    Enter your secret key
    Type your HMAC secret key in the Secret Key field. Keep this key confidential: anyone with the key can generate valid HMACs.
  4. 4
    Read the output
    The HMAC is computed live and displayed in both hexadecimal and Base64 formats as you type.
  5. 5
    Copy the result
    Use the Copy buttons next to the hex or Base64 output to copy the value to your clipboard.

Related Tools

Frequently Asked Questions

What is HMAC and what is it used for?
HMAC (Hash-based Message Authentication Code) combines a cryptographic hash function with a secret key to produce a code that verifies both the integrity and authenticity of a message. It is widely used for API request signing, webhook validation, JWT verification, and secure cookie signing.
What is the difference between HMAC-SHA-256 and plain SHA-256?
Plain SHA-256 is a one-way hash with no secret key: anyone can compute it. HMAC-SHA-256 requires a secret key, so only parties that know the key can produce or verify the code. This makes HMAC suitable for authentication, whereas plain hashes are suitable for integrity checking only.
Is the computation done in my browser or on a server?
Entirely in your browser using the Web Crypto API's HMAC-SHA implementation. Your message and key are never sent to any server.
What encoding is used for the message and key?
Both the message and key are encoded as UTF-8 before being processed. This is the standard for HMAC operations and is compatible with most server-side implementations.
When should I use hex output vs Base64?
Hex output is easier to read and debug, and is commonly used in HTTP headers (e.g. X-Signature: abc123...). Base64 is more compact and commonly used in JWT signatures and cookie values. Both represent the same underlying bytes.
How long should my HMAC secret key be?
NIST recommends the key be at least as long as the hash output: so 32 bytes (256 bits) for HMAC-SHA-256, 48 bytes for SHA-384, and 64 bytes for SHA-512. Shorter keys still work but provide less security.
Is HMAC-SHA-256 secure?
Yes. HMAC-SHA-256 is currently considered cryptographically strong and is recommended by NIST and used in TLS 1.3, AWS signature v4, and many other security-critical systems.
Can I verify an HMAC with this tool?
Indirectly. To verify, recompute the HMAC with the same message, key, and algorithm, then compare the output to the code you want to verify. The codes should match exactly.
Why do I get a different HMAC if I change the algorithm?
HMAC-SHA-256, SHA-384, and SHA-512 use different underlying hash functions, producing outputs of different lengths (32, 48, and 64 bytes respectively). Changing the algorithm changes the entire output.

AlteredIdea vs alternatives

vs server-side tools: Everything runs in your browser: your data never leaves your device.

vs command-line tools: No setup needed. Works instantly in any browser.

vs paid tools: Completely free, no account required.