HMAC Generator
Generate HMAC-SHA256 or HMAC-SHA512 signatures using a secret key, entirely in your browser.
About HMAC
HMAC (Hash-based Message Authentication Code) is a mechanism for verifying both the integrity and authenticity of a message. It combines a cryptographic hash function with a shared secret key to produce a signature that proves a message came from a trusted sender and has not been altered in transit.
How HMAC works
HMAC applies a hash function (such as SHA-256) to the message and the secret key in a specific way defined in RFC 2104. Unlike a plain hash (which anyone can compute), an HMAC can only be computed by someone who knows the secret key. The recipient recomputes the HMAC with the shared key and compares it to the one provided — if they match, the message is authentic and unmodified.
Common use cases
- Webhook verification — GitHub, Stripe, Shopify, and many other services sign webhook payloads with HMAC-SHA256. Your application computes the expected HMAC and compares it to the header value to confirm the request is genuine.
- API authentication — Some APIs require clients to sign requests with HMAC to prove identity without transmitting the secret key itself.
- Cookie and session integrity — Signing session data with HMAC ensures it cannot be tampered with by the client.
HMAC-SHA256 vs HMAC-SHA512
HMAC-SHA256 produces a 256-bit (32-byte) signature and is the most widely used choice, sufficient for virtually all use cases. HMAC-SHA512 produces a 512-bit (64-byte) signature and offers a larger security margin, useful when signatures are used for long-term verification or in high-assurance contexts.
Note: HMAC is a message authentication mechanism, not a password hashing scheme. For password storage, use bcrypt instead.