What is the difference between HMAC and a regular hash?

A regular hash (like SHA-256) takes only the message as input, so anyone can compute it. HMAC also includes a secret key known only to authorized parties, so only someone with the key can generate or verify the correct HMAC.

Which algorithm should I use?

SHA-256 is the recommended default — it provides a strong 256-bit security level and is widely supported. Use SHA-384 or SHA-512 for higher security levels. Avoid SHA-1 for new applications as it is considered cryptographically broken.

What are HMACs used for?

HMACs are used to authenticate API requests (like signing AWS requests or webhook payloads), verify JWT tokens, ensure message integrity, and implement secure cookie signing.

Are my key and message secure?

Yes. All computation runs in your browser using the Web Crypto API. Your key and message never leave your device and are never sent to any server.

HMAC Generator

Generate HMAC (Hash-based Message Authentication Code) signatures with your secret key, or verify that a message matches a given HMAC using Web Crypto API — all client-side.

import CopyButton from "./_CopyButton.astro"

Algorithm Output

Secret Key

Message

HMAC

HMAC will appear here.

Verify HMAC

Enter a known HMAC value to check if it matches the message above with the same key.

Send output to:

How to use HMAC Generator

Select a hash algorithm (SHA-256 is recommended) and output format (hex or base64).
Enter your secret key and the message you want to sign, then click Generate HMAC.
Copy the HMAC output with the Copy button, or paste an HMAC in the Verify section to check message authenticity.

What is HMAC Generator?

HMAC (Hash-based Message Authentication Code) combines a cryptographic hash function (SHA-1, SHA-256, SHA-384, or SHA-512) with a secret key to produce a message authentication code. It is used to verify both the data integrity and authenticity of a message — if the message or key changes, the HMAC changes.

This tool uses the browser's built-in Web Crypto API (crypto.subtle) for fast, secure computation. Nothing is uploaded or stored. Use it to sign API payloads, verify webhook signatures, authenticate messages, and validate JWT secrets.

FAQ

What is the difference between HMAC and a regular hash?: A regular hash (like SHA-256) takes only the message as input, so anyone can compute it. HMAC also includes a secret key known only to authorized parties, so only someone with the key can generate or verify the correct HMAC.
Which algorithm should I use?: SHA-256 is the recommended default — it provides a strong 256-bit security level and is widely supported. Use SHA-384 or SHA-512 for higher security levels. Avoid SHA-1 for new applications as it is considered cryptographically broken.
What are HMACs used for?: HMACs are used to authenticate API requests (like signing AWS requests or webhook payloads), verify JWT tokens, ensure message integrity, and implement secure cookie signing.
Are my key and message secure?: Yes. All computation runs in your browser using the Web Crypto API. Your key and message never leave your device and are never sent to any server.

People also use

← Back to Developer Tools · All tags

HMAC Generator

Verify HMAC

How to use HMAC Generator

What is HMAC Generator?

FAQ

People also use

Ad blocker detected

Keyboard shortcuts