HMAC Generator
Updated May 7, 2026HMAC generator online free. Generate HMAC-SHA256, HMAC-SHA512 keyed-hash authentication codes. HMAC calculator in your browser.
Message
Secret Key
About HMAC
- • HMAC = Hash-based Message Authentication Code
- • Combines a secret key with a message to create a signature
- • Verifies both data integrity AND authenticity
- • Use cases: API authentication, JWT signatures, webhook verification
Features
- Generate Keyed-Hash Message Authentication Codes (HMAC)
- Supports HMAC-SHA256, HMAC-SHA512, and HMAC-MD5
- Separate inputs for Secret Key and Message Payload
- Standard compliance with RFC 2104
- Instantly verify API webhook signatures
Common Use Cases
- Debugging API webhooks from services like Stripe, GitHub, or Slack which use HMAC for authentication
- Manually generating JSON Web Token (JWT) signatures for testing
- Verifying the authenticity and integrity of messages sent over untrusted networks
- Securing IoT device communications with symmetric keys
HMAC (Hash-based Message Authentication Code)
A standard cryptographic hash (like SHA-256) guarantees data integrity (the data hasn't changed). However, it does not guarantee authenticity. Anyone can alter a message and simply generate a new standard hash for it.
HMAC solves this by combining the hash function with a secret cryptographic key shared only between the sender and receiver. The algorithm mixes the secret key with the message data before hashing it.
When the receiver gets the message and the HMAC signature, they recompute the HMAC using their copy of the secret key. If the signatures match, it proves two things simultaneously: the message was not altered in transit (integrity), AND it was sent by someone who possesses the secret key (authenticity).
Examples
Secret Key: "my-super-secret-key"
Message: '{"user_id": 123, "action": "delete"}'
Algorithm: SHA-256
Result (Hex): 91d37b607ab9b23173d6bfa84672bb664df670d853155ebf0653d8ea71f5af7eFrequently Asked Questions
When a payment succeeds, Stripe sends an HTTP POST request (a webhook) to your server. To prove the request actually came from Stripe and not a malicious hacker, Stripe generates an HMAC signature of the payload using a secret key they gave you. Your server re-generates the HMAC using the payload and your secret key. If they match, the webhook is authentic.
No. HMAC is for authentication and integrity, not confidentiality. The message payload is still sent in plain text (unless sent over HTTPS). HMAC just guarantees that the plain text wasn't tampered with and was sent by a trusted party.
Yes, but for maximum security, the key should be completely random and at least as long as the hash output size (e.g., 32 bytes/256 bits for HMAC-SHA256).
💡 Tips
- When comparing HMAC signatures in your application code, always use a "constant-time" or "timing-safe" string comparison function to prevent timing attacks where attackers guess the signature byte-by-byte.
- Never expose your HMAC secret key in frontend JavaScript code. HMAC generation and verification must happen on a secure backend server.