HMAC Generator

HMAC combines a secret key with a hash function—powering webhook signatures, API auth, and AWS Signature V4. This tool computes HMAC-SHA256, HMAC-SHA512, and more locally to match third-party docs or reproduce server verification. Use hash-generator for unkeyed digests and jwt-generator for JWT signing workflows.

Read the full guide: JWT Security Basics: Decode, Verify, and Common Mistakes →

Privacy: processed locally, never uploaded.

↓ Paste in the input area below to see results instantly

Message and secret

Enter message and shared secret. HMAC updates as you type.

Secret
Algorithm
Output format

Output

HMAC result

0e8d0d54851504630d2d9d46e991b6c226f66812a81416f7d4ae95d5193e345e

Notes

About HMAC

HMAC signs a message with a shared secret, common for API signatures and webhook verification. Never expose secrets in client code.

HMAC combines a secret key with a hash function—powering webhook signatures, API auth, and AWS Signature V4. This tool computes HMAC-SHA256, HMAC-SHA512, and more locally to match third-party docs or reproduce server verification. Use hash-generator for unkeyed digests and jwt-generator for JWT signing workflows.

Quick start

  1. Enter message and secret

    No output when secret is empty.

  2. Pick algorithm and format

    Prefer SHA-256; MD5/SHA-1 for legacy systems only.

Common uses

GitHub, Stripe, and similar webhooks use HMAC to verify payload integrity.

Typical Workflow

When developing features that require message integrity verification, the HMAC generator quickly validates signature matches. For example, when receiving webhooks, copy the raw message and secret key from the server, generate the HMAC, and compare it with the signature in the request header to detect tampering.

When debugging API authentication, first compare locally generated HMAC with documentation examples to confirm algorithm consistency. Then replace with your test data to verify server responses. This eliminates writing temporary scripts, ideal for rapid debugging. Ensure the secret key matches the counterpart, with SHA256 being the most common algorithm.

Webhook verification

Stripe, GitHub, Slack sign raw bodies with HMAC-SHA256. Reproduce digests here—body must be byte-identical. json-formatter changes bodies; verify with raw bytes.

Secrets live in headers (X-Signature), not bodies. Leaked HMAC secrets enable forgery—rotate and audit.

Security

Never paste production webhook secrets into browser tools—use staging or fake keys.

Compare wrong-secret digests with hash-generator against official examples.

Examples

Example

Input

message=Towalles, secret=secret-key, SHA-256

Output

Hex digest

FAQ

Difference from hash generator?

Hashes have no key; HMAC requires a shared secret for authenticated digests.

Why does the HMAC differ from the server's result?

Common causes: 1) Key mismatch (check for spaces/encoding); 2) Different message processing (e.g., line breaks); 3) Algorithm discrepancy; 4) Output format (Hex vs Base64 are equivalent but look different).

Which algorithms?

Common HMAC-SHA256/512—see tool UI options.

Hex or base64?

Follow integrator docs—Stripe often uses hex.

Sort JSON keys?

Only if docs require canonical JSON—most use raw body.

Secret uploaded?

No—local computation.