HMAC Generator
Keyed hashes for message authentication.
How to use the HMAC Generator
HMAC (Hash-based Message Authentication Code) mixes a secret key into a hash function so the receiver can both verify data integrity and confirm the sender holds the key. Paste a secret and a message, pick an algorithm, and the hex digest updates on every keystroke — all computed locally with the Web Crypto API.
- 01Type or paste your secret key at the top. Anything works: a random API key, a passphrase, raw bytes.
- 02Enter the message you want to sign.
- 03Pick an algorithm (SHA-256 is the sensible default) and copy the resulting hex digest.
tips
- —A plain SHA-256 only proves a message was not corrupted. HMAC also proves the sender had the secret, which is why APIs like AWS Signature V4 and GitHub webhooks rely on it.
- —The output is not encrypted. Anyone with the digest can verify it, but only someone with the key can produce it. HMAC is for authentication, not confidentiality.
- —Compare two HMACs in constant time on the server — a naive
===check leaks timing information that can let attackers forge signatures byte-by-byte.
frequently asked
What is HMAC and how is it different from a plain hash?+
HMAC (Hash-based Message Authentication Code) mixes a secret key into the hash function. A plain SHA-256 only proves the data has not changed; HMAC also proves the sender holds the secret key, so receivers can authenticate the message.
Which algorithm should I use?+
HMAC-SHA-256 is the safe default for new systems. Avoid HMAC-SHA-1 in new code — it is provided only for interoperability with legacy APIs. SHA-512 is slightly stronger on 64-bit CPUs but rarely necessary.
Is my secret sent anywhere?+
No. The HMAC is computed in your browser with the Web Crypto API. Neither the secret nor the message ever leaves your machine.