HMAC Generator

HMAC Generator

Updated May 7, 2026

HMAC generator online free. Generate HMAC-SHA256, HMAC-SHA512 keyed-hash authentication codes. HMAC calculator in your browser.

0 chars

Message

Secret Key

About HMAC

  • HMAC = Hash-based Message Authentication Code
  • • Combines a secret key with a message to create a signature
  • • Verifies both data integrity AND authenticity
  • Use cases: API authentication, JWT signatures, webhook verification

Features

  • Generate Keyed-Hash Message Authentication Codes (HMAC)
  • Supports HMAC-SHA256, HMAC-SHA512, and HMAC-MD5
  • Separate inputs for Secret Key and Message Payload
  • Standard compliance with RFC 2104
  • Instantly verify API webhook signatures

Common Use Cases

  • Debugging API webhooks from services like Stripe, GitHub, or Slack which use HMAC for authentication
  • Manually generating JSON Web Token (JWT) signatures for testing
  • Verifying the authenticity and integrity of messages sent over untrusted networks
  • Securing IoT device communications with symmetric keys

HMAC (Hash-based Message Authentication Code)

A standard cryptographic hash (like SHA-256) guarantees data integrity (the data hasn't changed). However, it does not guarantee authenticity. Anyone can alter a message and simply generate a new standard hash for it.

HMAC solves this by combining the hash function with a secret cryptographic key shared only between the sender and receiver. The algorithm mixes the secret key with the message data before hashing it.

When the receiver gets the message and the HMAC signature, they recompute the HMAC using their copy of the secret key. If the signatures match, it proves two things simultaneously: the message was not altered in transit (integrity), AND it was sent by someone who possesses the secret key (authenticity).

Examples

Valid - HMAC-SHA256 Signature Generation
Secret Key: "my-super-secret-key"
Message: '{"user_id": 123, "action": "delete"}'
Algorithm: SHA-256
Result (Hex): 91d37b607ab9b23173d6bfa84672bb664df670d853155ebf0653d8ea71f5af7e

Frequently Asked Questions

How does Stripe or GitHub use HMAC?

When a payment succeeds, Stripe sends an HTTP POST request (a webhook) to your server. To prove the request actually came from Stripe and not a malicious hacker, Stripe generates an HMAC signature of the payload using a secret key they gave you. Your server re-generates the HMAC using the payload and your secret key. If they match, the webhook is authentic.

Is HMAC encryption?

No. HMAC is for authentication and integrity, not confidentiality. The message payload is still sent in plain text (unless sent over HTTPS). HMAC just guarantees that the plain text wasn't tampered with and was sent by a trusted party.

Can I use any string as an HMAC key?

Yes, but for maximum security, the key should be completely random and at least as long as the hash output size (e.g., 32 bytes/256 bits for HMAC-SHA256).

💡 Tips

  • When comparing HMAC signatures in your application code, always use a "constant-time" or "timing-safe" string comparison function to prevent timing attacks where attackers guess the signature byte-by-byte.
  • Never expose your HMAC secret key in frontend JavaScript code. HMAC generation and verification must happen on a secure backend server.

Common Mistakes

Appending the key to the message and hashing it manually (e.g., `SHA256(key + message)`). This is vulnerable to "length extension attacks". Always use standard HMAC functions provided by your language's crypto library.
Formatting the message differently when generating vs verifying. Even a single extra space in the JSON payload will result in a completely different HMAC signature.