🔑 HMAC Generator

Generate and verify HMAC-SHA-256, SHA-512, SHA-384 & SHA-1 signatures using the Web Crypto API — 100% client-side.

HMAC‑SHA‑256
256 bit · 64 hex
HMAC‑SHA‑512
512 bit · 128 hex
HMAC‑SHA‑384
384 bit · 96 hex
HMAC‑SHA‑1
160 bit · 40 hex
Quick Presets
✏️
Custom
Blank slate — enter your own message and key
🔗
Webhook
Verify GitHub / Stripe / Shopify webhook payloads
🌐
API Auth
Sign API requests with timestamp + method + path
🎫
JWT Header
Produce the HMAC signature portion of a JWT
🍪
Cookie Sign
Sign session cookies for tamper detection
📄
File MAC
Authenticate file content with a shared secret
Secret Key
0 chars  · 0 bits entropy  ·
Key encoding
Random key length:
output as Hex
Message
Message / Payload 0 chars · 0 bytes
Message encoding
HMAC Signature
Enter a key and message, then click Generate HMAC
All Algorithms
Click "Generate All" to compute all four HMAC variants simultaneously.

HMAC — How It Works & When to Use It

What is HMAC?

HMAC (Hash-based Message Authentication Code) combines a cryptographic hash function with a secret key: HMAC(K, m) = H((K⊕opad) ∥ H((K⊕ipad) ∥ m)) . Unlike a plain hash, it provides both integrity and authenticity — only someone with the key can produce or verify the signature.

Webhook Verification

GitHub, Stripe, Shopify and most major APIs use HMAC-SHA-256 to sign webhook payloads. The platform signs the raw request body with a shared secret and sends the result in a header like X-Hub-Signature-256 . Your server recomputes the HMAC and compares.

JWT Signing

JSON Web Tokens use HMAC-SHA-256 (HS256) to sign the header + payload. The signature is computed over base64url(header) + "." + base64url(payload) with a secret key, then appended as the third JWT segment. This tool lets you reproduce that signature manually.

Constant-Time Verify

This tool uses crypto.subtle.verify() for signature verification, which performs constant-time comparison internally — preventing timing side-channel attacks that could leak whether signatures partially match. Never use string equality ( === ) to compare HMACs in production.