devtools

HMAC Generator

Keyed hashes for message authentication.

client-sidefreeno-signup
signed locally with the Web Crypto API · nothing is uploaded
// how to use

How to use the HMAC Generator

HMAC (Hash-based Message Authentication Code) mixes a secret key into a hash function so the receiver can both verify data integrity and confirm the sender holds the key. Paste a secret and a message, pick an algorithm, and the hex digest updates on every keystroke — all computed locally with the Web Crypto API.

  1. 01Type or paste your secret key at the top. Anything works: a random API key, a passphrase, raw bytes.
  2. 02Enter the message you want to sign.
  3. 03Pick an algorithm (SHA-256 is the sensible default) and copy the resulting hex digest.

tips

  • A plain SHA-256 only proves a message was not corrupted. HMAC also proves the sender had the secret, which is why APIs like AWS Signature V4 and GitHub webhooks rely on it.
  • The output is not encrypted. Anyone with the digest can verify it, but only someone with the key can produce it. HMAC is for authentication, not confidentiality.
  • Compare two HMACs in constant time on the server — a naive === check leaks timing information that can let attackers forge signatures byte-by-byte.

frequently asked

What is HMAC and how is it different from a plain hash?+

HMAC (Hash-based Message Authentication Code) mixes a secret key into the hash function. A plain SHA-256 only proves the data has not changed; HMAC also proves the sender holds the secret key, so receivers can authenticate the message.

Which algorithm should I use?+

HMAC-SHA-256 is the safe default for new systems. Avoid HMAC-SHA-1 in new code — it is provided only for interoperability with legacy APIs. SHA-512 is slightly stronger on 64-bit CPUs but rarely necessary.

Is my secret sent anywhere?+

No. The HMAC is computed in your browser with the Web Crypto API. Neither the secret nor the message ever leaves your machine.