devtools

HMAC Generator

Generate an HMAC for a message and secret key with SHA-1, SHA-256, SHA-384, or SHA-512. Lowercase hex, computed locally via Web Crypto and never uploaded.

Runs entirely in your browser — your data never leaves your device.

How to use HMAC Generator

What it does & when you need it

You are verifying a webhook, signing an API request, or debugging why a provider rejects your X-Signature header, and you need to compute an HMAC by hand to compare against what your code produces. This tool takes a message and a secret key, runs HMAC with the hash you choose — SHA-1, SHA-256, SHA-384, or SHA-512 — and shows the digest as lowercase hexadecimal. It uses the browser's built-in Web Crypto engine, the same primitive your server-side runtime uses, so the numbers match and your key never leaves the page.

How to use

  1. Enter your secret key in the key field and the payload in the message buffer.
  2. Choose the hash in the toolbar. SHA-256 is the common default.
  3. The HMAC appears in the output as you edit. Press Copy digest (or Ctrl/Cmd + Enter) to copy it, or Sample to load a known test vector.

Things worth knowing

HMAC proves who sent it, a plain hash does not. Anyone can recompute a SHA-256 of a message, but only a holder of the shared secret can produce a matching HMAC. That is why webhook providers sign deliveries this way and you compare tags rather than trusting the body. For plain, unkeyed fingerprints, use the hash generator instead.

Pick SHA-256 unless told otherwise. It backs HS256 JSON Web Tokens, Stripe and GitHub webhook signatures, and countless APIs. SHA-384/512 give longer tags; SHA-1 is for legacy interop only — HMAC-SHA1 is not broken like plain SHA-1 collisions, but do not choose it for new work.

Encoding matters. The message and key are treated as UTF-8 bytes. A key longer than the hash block size is hashed down first, per the spec, so any key length is accepted. If your digest disagrees with a provider's, check for a trailing newline, different character encoding, or seconds-versus-milliseconds drift in a signed timestamp.

Examples

Canonical SHA-256 test vector

The quick brown fox jumps over the lazy dog

With the key "key" and SHA-256 this reproduces the well-known digest f7bc83f4…2d1a3cd8.

Sign a JSON webhook payload

{"event":"payment.succeeded","amount":4200}

Set your endpoint secret as the key to recreate the signature header a provider sends with a webhook.

Compare algorithm output sizes

message

Switch the hash selector and watch the length grow — 40 hex chars for SHA-1 up to 128 for SHA-512.

Frequently asked questions

What is the difference between an HMAC and a plain hash?

A plain SHA-256 hash of a message can be recomputed by anyone who has the message, so it proves integrity but not authenticity. An HMAC mixes a secret key into the hashing process, so only parties who know the key can produce or verify the tag. That is what lets a webhook receiver confirm a payload really came from the sender and was not tampered with in transit.

Which hash algorithm should I choose?

SHA-256 is the sensible default and what most APIs (HS256 JWTs, Stripe and GitHub webhooks) use. Pick SHA-384 or SHA-512 when you want a longer tag or a spec demands it. Choose SHA-1 only to interoperate with an existing legacy system — while HMAC-SHA1 is not broken the way plain SHA-1 collisions are, new designs should avoid it.

How are the key and message encoded?

Both are encoded as UTF-8 bytes before signing, and the key is imported as raw key material. Per the HMAC spec, a key longer than the hash block size is first hashed down, and a shorter key is zero-padded — the Web Crypto implementation handles that for you, so you can paste a key of any length.

Where are HMACs actually used?

They authenticate webhook deliveries (the X-Hub-Signature and Stripe-Signature headers), sign the HS256 family of JSON Web Tokens, protect API requests such as AWS Signature V4, and provide general message integrity in protocols like TLS. In each case both sides share a secret and compare HMACs rather than trusting the message alone.

Does this tool upload my message or key?

No. The HMAC is computed in your browser with the built-in Web Crypto API (crypto.subtle), so the secret key and message never leave your machine and the tool works offline once loaded.