Generate an HMAC for a message and secret key with SHA-1, SHA-256, SHA-384, or SHA-512. Lowercase hex, computed locally via Web Crypto and never uploaded.
Runs entirely in your browser — your data never leaves your device.
How to use HMAC Generator
What it does & when you need it
You are verifying a webhook, signing an API request, or debugging why a provider
rejects your X-Signature header, and you need to compute an HMAC by hand to
compare against what your code produces. This tool takes a message and a secret
key, runs HMAC with the hash you choose — SHA-1, SHA-256, SHA-384, or SHA-512 —
and shows the digest as lowercase hexadecimal. It uses the browser's built-in Web
Crypto engine, the same primitive your server-side runtime uses, so the numbers
match and your key never leaves the page.
How to use
Enter your secret key in the key field and the payload in the message
buffer.
Choose the hash in the toolbar. SHA-256 is the common default.
The HMAC appears in the output as you edit. Press Copy digest (or
Ctrl/Cmd + Enter) to copy it, or Sample to load a known test vector.
Things worth knowing
HMAC proves who sent it, a plain hash does not. Anyone can recompute a SHA-256
of a message, but only a holder of the shared secret can produce a matching HMAC.
That is why webhook providers sign deliveries this way and you compare tags rather
than trusting the body. For plain, unkeyed fingerprints, use the
hash generator instead.
Pick SHA-256 unless told otherwise. It backs HS256 JSON Web Tokens, Stripe and
GitHub webhook signatures, and countless APIs. SHA-384/512 give longer tags; SHA-1
is for legacy interop only — HMAC-SHA1 is not broken like plain SHA-1 collisions,
but do not choose it for new work.
Encoding matters. The message and key are treated as UTF-8 bytes. A key longer
than the hash block size is hashed down first, per the spec, so any key length is
accepted. If your digest disagrees with a provider's, check for a trailing newline,
different character encoding, or seconds-versus-milliseconds drift in a signed
timestamp.
Examples
Canonical SHA-256 test vector
The quick brown fox jumps over the lazy dog
With the key "key" and SHA-256 this reproduces the well-known digest f7bc83f4…2d1a3cd8.
Sign a JSON webhook payload
{"event":"payment.succeeded","amount":4200}
Set your endpoint secret as the key to recreate the signature header a provider sends with a webhook.
Compare algorithm output sizes
message
Switch the hash selector and watch the length grow — 40 hex chars for SHA-1 up to 128 for SHA-512.
Frequently asked questions
What is the difference between an HMAC and a plain hash?+
A plain SHA-256 hash of a message can be recomputed by anyone who has the message, so it proves integrity but not authenticity. An HMAC mixes a secret key into the hashing process, so only parties who know the key can produce or verify the tag. That is what lets a webhook receiver confirm a payload really came from the sender and was not tampered with in transit.
Which hash algorithm should I choose?+
SHA-256 is the sensible default and what most APIs (HS256 JWTs, Stripe and GitHub webhooks) use. Pick SHA-384 or SHA-512 when you want a longer tag or a spec demands it. Choose SHA-1 only to interoperate with an existing legacy system — while HMAC-SHA1 is not broken the way plain SHA-1 collisions are, new designs should avoid it.
How are the key and message encoded?+
Both are encoded as UTF-8 bytes before signing, and the key is imported as raw key material. Per the HMAC spec, a key longer than the hash block size is first hashed down, and a shorter key is zero-padded — the Web Crypto implementation handles that for you, so you can paste a key of any length.
Where are HMACs actually used?+
They authenticate webhook deliveries (the X-Hub-Signature and Stripe-Signature headers), sign the HS256 family of JSON Web Tokens, protect API requests such as AWS Signature V4, and provide general message integrity in protocols like TLS. In each case both sides share a secret and compare HMACs rather than trusting the message alone.
Does this tool upload my message or key?+
No. The HMAC is computed in your browser with the built-in Web Crypto API (crypto.subtle), so the secret key and message never leave your machine and the tool works offline once loaded.