HMAC Generator
Crypto & SecurityGenerate HMAC signatures (SHA-256, SHA-512) for API auth and webhook verification. Free, private — all processing in your browser.
The HMAC Generator creates Hash-based Message Authentication Codes — cryptographic signatures that prove a message came from someone who knows a shared secret, and that it has not been tampered with in transit. Supports HMAC-SHA256 (the modern standard, used by Stripe, Shopify, AWS, GitHub, Slack webhooks), HMAC-SHA512 (for higher security), HMAC-SHA1 (legacy, still common), and HMAC-MD5 (deprecated but available for legacy APIs). Input any message and a secret key, get the HMAC output in hex, Base64, or Base64URL format.
HMAC is the foundation of most modern API authentication and webhook verification. When a webhook delivers an event payload, the sender signs it with HMAC-SHA256 using a secret only you and they know; you verify the signature to ensure (1) the payload really came from them, and (2) it has not been modified. AWS Signature Version 4 uses nested HMACs. Slack, Stripe, GitHub, Shopify, Twilio, DocuSign — all use HMAC for webhook verification. This tool runs entirely in your browser using the Web Crypto API — your secret keys and messages stay on your device.
HMAC Generator — key features
Multiple HMAC variants
HMAC-SHA256 (default), SHA-384, SHA-512, SHA-1, MD5. Choose based on target API requirements.
Hex, Base64, Base64URL output
Common output formats. Match what your target system expects. JWT uses Base64URL, most APIs use hex.
Web Crypto API
Uses native browser cryptography (Crypto.subtle). Same trusted code that powers HTTPS.
Key in UTF-8 or hex
Specify secret key as plaintext UTF-8 (most common) or hex bytes (for binary keys).
Live generation
Output updates as you type key or message. Fast iteration for debugging webhook signatures.
Copy and compare
Copy result to clipboard. Or paste expected HMAC to verify match (constant-time comparison emulation).
Message up to 10 MB
Handle large payloads — entire JSON responses, file contents, etc.
100% client-side
Secret keys and messages never leave your browser. Safe for production webhook secrets and API keys.
How to use the HMAC Generator
- 1
Enter the message
The data to sign — often a JSON payload, URL components, or timestamp + nonce.
- 2
Enter the secret key
Your shared secret with the API provider or webhook sender. Keep it secret.
- 3
Choose HMAC variant
SHA-256 (most common today). Match what the target API specifies. Stripe uses SHA-256; AWS uses SHA-256 in V4.
- 4
Select output format
Hex (most readable), Base64 (compact), or Base64URL (JWT style). Match what the API expects.
- 5
Compare with expected signature
If verifying a webhook, paste the expected signature. Tool shows whether it matches.
- 6
Copy the HMAC
Use in your Authorization header, webhook verification code, or signed URL.
Common use cases for the HMAC Generator
Webhook verification
- →Stripe webhooks: Stripe signs webhook deliveries with HMAC-SHA256. Verify X-Stripe-Signature header to reject forged webhooks.
- →GitHub webhooks: GitHub uses HMAC-SHA256 for X-Hub-Signature-256 header (newer) and HMAC-SHA1 for legacy signatures.
- →Shopify webhooks: X-Shopify-Hmac-SHA256 header. Verify before processing order, payment, or inventory events.
- →Slack webhooks: X-Slack-Signature header uses HMAC-SHA256 over timestamp + body. Standard slash command verification.
- →Twilio webhooks: HMAC-SHA1 of URL + POST params + auth token. Verify for SMS and voice callbacks.
API authentication
- →AWS Signature Version 4: HMAC-SHA256 chain: date -> region -> service -> request. Authenticates every AWS API call.
- →Signed URLs (S3 presigned): Pre-authorize time-limited access to S3 objects using HMAC signature in URL.
- →OAuth 1.0a signatures: Legacy Twitter, Flickr, OpenAPI. HMAC-SHA1 of request method + URL + parameters.
- →Custom API authentication: Many internal APIs use HMAC: client signs request with shared secret; server verifies.
Message integrity
- →JWT HS256 signing: JWT with HS256 algorithm uses HMAC-SHA256. Server secret signs header + payload.
- →Cookie signing: Signed session cookies (Express cookie-parser, Flask sessions) use HMAC to prevent tampering.
- →Database row signing: HMAC of critical row data prevents unauthorized modification of financial records, audit logs.
- →CSRF tokens: HMAC of session ID + secret key generates unpredictable CSRF tokens.
Debugging and testing
- →Test webhook signature generation: Before deploying webhook receiver, manually generate expected HMAC and verify your code matches.
- →Debug API authentication failures: When AWS/Stripe API returns 401, compute HMAC manually, compare with what your SDK sent.
- →Pre-compute signatures for load tests: Load test tools need valid signatures. Pre-compute and cache.
- →Integration testing: Generate test HMAC values in fixtures.
HMAC Generator — examples
Stripe webhook verification
HMAC-SHA256 signature for Stripe event.
Key: whsec_test_key_abc123
Message: {"id":"evt_123","type":"payment_intent.succeeded"}
Algorithm: SHA-256HMAC-SHA256 (hex): 3b7e9c4d6f2a8b5e1c7d9f0a2b4c6d8e...
GitHub webhook (new format)
HMAC-SHA256 of full payload with webhook secret.
Key: my-github-webhook-secret Message: full webhook payload JSON Output: Base64URL for X-Hub-Signature-256
sha256=dHZ5dGNhZnNwb29iZmc...
AWS Signature V4 step
One step in AWS chain: date key.
Key: AWS4 + secret_access_key Message: date in YYYYMMDD Algorithm: SHA-256
date_key (hex, 64 chars) Used in next HMAC step for region_key.
JWT HS256 signature
HMAC-SHA256 of JWT header + payload.
Key: jwt-signing-secret Message: base64url(header).base64url(payload) Output format: Base64URL
5mhBHqs5_DTLdINd9p5m7ZJ6XD0Xc55kIaCRY5r6HRA
Compare expected vs computed
Webhook verification in practice.
Expected (from header): abc123def456... Your message + secret computed: abc123def456...
MATCH — webhook is genuine. Process the event. (If NOT match, reject request with 401.)
Base64URL output for JWT
URL-safe encoding without padding.
Algorithm: SHA-256, output: Base64URL
Standard Base64: dHZ5dGNhZnN...== Base64URL: dHZ5dGNhZnN- (no padding, url-safe chars)
Technical details
HMAC (Hash-based Message Authentication Code) is defined in RFC 2104 (1997) and updated in RFC 6234 (SHA-2 variants). Unlike a plain hash (which anyone can compute), HMAC requires a secret key — only someone with the key can produce a valid HMAC for a given message.
Algorithm:
``
HMAC(key, message) = H( (key XOR opad) || H( (key XOR ipad) || message ) )
Where:
- H = hash function (SHA-256, SHA-512, etc.)
- opad = outer pad (0x5c repeated)
- ipad = inner pad (0x36 repeated)
- || = concatenation
Essentially: hash the message with a modified key, then hash again with a different modified key. The double-hashing structure protects against length extension attacks.
Supported variants:
| Variant | Output size | Status | Use case |
|---|---|---|---|
| HMAC-SHA256 | 256 bits | Recommended | Stripe, Slack, most modern APIs |
| HMAC-SHA384 | 384 bits | Secure | AWS Signature V4 |
| HMAC-SHA512 | 512 bits | Highest security | High-security contexts |
| HMAC-SHA1 | 160 bits | Deprecated for security | Legacy (GitHub webhooks v1) |
| HMAC-MD5 | 128 bits | Broken | Legacy only, do not use for security |
Output encodings:
- Hexadecimal: most readable. SHA-256 = 64 hex chars.
- Base64: more compact. SHA-256 = 44 chars (with padding).
- Base64URL: URL-safe Base64 without padding. Used in JWT headers.
Common use cases in practice:
1. Webhook signature verification:
GitHub sends webhook with header X-Hub-Signature-256: sha256=<hmac>:
- Server receives request.
- Compute HMAC-SHA256 of request body using webhook secret.
- Compare with received signature (using constant-time comparison).
- If match: request is genuine; proceed.
2. API request signing (AWS Signature V4):
- Client computes HMAC chain: date, region, service, request.
- Sends signature in Authorization header.
- Server re-computes, verifies match.
3. Signed URLs (presigned S3 URLs):
- Server computes HMAC of URL + expiration + permissions.
- Returns URL with signature as query parameter.
- Bucket verifies signature before serving.
4. Session tokens (JWT HS256):
- JWT header.payload signed with HMAC-SHA256 using server secret.
- Server verifies signature on each request.
Secret key requirements:
- At least 256 bits (32 bytes) for HMAC-SHA256 — RFC 2104 recommends key length ≥ hash output size.
- Generated from CSPRNG, not a password.
- Stored securely (environment variable, secret manager).
- Rotated periodically.
Constant-time comparison:
Comparing HMAC values with == leaks timing information. Use constant-time comparison (crypto.timingSafeEqual in Node, hmac.compare_digest in Python) to prevent timing attacks. This is critical for webhook verification servers.
HMAC vs plain hash:
- Hash (SHA-256(message)): deterministic, no secret needed. Anyone can compute. Proves integrity (was it changed?) but not authenticity (who created it?).
- HMAC (HMAC-SHA256(key, message)): requires secret. Proves both integrity AND authenticity. Used for authentication.
Common problems and solutions
⚠String comparison leaks timing
Comparing HMAC values with == short-circuits on first difference, leaking timing info to attackers. Use constant-time comparison: crypto.timingSafeEqual (Node), hmac.compare_digest (Python), subtle.ConstantTimeCompare (Go).
⚠Using the wrong message encoding
HMAC operates on bytes, not characters. Hashing a JSON object that was re-serialized may produce different bytes than the original. Always hash the exact bytes as transmitted.
⚠Secret key too short
RFC 2104 recommends key length equal to or greater than hash output (32 bytes for SHA-256). Short keys are internally padded to block size, reducing security. Generate 32+ byte keys from CSPRNG.
⚠Using HMAC-MD5 or SHA-1 for new systems
Both are broken. MD5 completely; SHA-1 has demonstrated collisions. Use HMAC-SHA256 or SHA-512 for new systems. Keep SHA-1/MD5 only for legacy API compatibility.
⚠Wrong HMAC variant
Stripe uses SHA-256; legacy GitHub uses SHA-1; AWS uses specific SHA-256 chain. Mismatch produces wrong signatures and failed verification. Check the API docs.
⚠Key rotation issues
When rotating webhook secrets, you may receive events signed with old OR new key during transition. Accept both during migration window, then require only new key.
⚠Using HMAC for password storage
HMAC is for message authentication, not password storage. Passwords need slow, memory-hard hashing: bcrypt, argon2, scrypt. HMAC is fast (good for sigs) but weak for password storage (resistant to brute force).
⚠Exposing the secret key
HMAC security depends on key secrecy. Never log it, commit it to git, show it in error messages. Use environment variables and secret managers.
HMAC Generator — comparisons and alternatives
HMAC vs Plain Hash (SHA-256): Plain hash requires no secret — anyone can compute SHA-256 of a message. HMAC requires a shared secret — only parties with the key can compute valid signatures. Use hash for integrity checks, HMAC for authentication.
HMAC vs Digital Signatures (RSA, ECDSA): HMAC is symmetric — same key signs and verifies. Digital signatures are asymmetric — private key signs, public key verifies. HMAC is faster; signatures enable verification by anyone without sharing the key. Use HMAC for internal APIs, signatures for public-facing auth.
HMAC-SHA256 vs SHA-256 with prepended key: HMAC is resistant to length-extension attacks (a vulnerability where you extend a hash without knowing the key). Raw hash with key prepended (SHA256(key + message)) can be extended. Always use HMAC construct, not ad-hoc combinations.
HMAC vs CMAC: HMAC uses a hash function; CMAC uses a block cipher (AES). CMAC is used in some embedded systems. HMAC is more widespread on the web.
HMAC vs JWT HS256: JWT HS256 uses HMAC-SHA256 under the hood. Same cryptography, different encoding. JWT is a structured token format; raw HMAC is just a signature.
HMAC vs AWS Signature V4: AWS V4 uses HMAC chained multiple times (date_key -> region_key -> service_key -> signing_key). More complex but provides forward secrecy — compromising one step limits damage.
Frequently asked questions about the HMAC Generator
▶What is HMAC?
HMAC (Hash-based Message Authentication Code) is a cryptographic technique that combines a hash function (SHA-256, SHA-512) with a secret key to produce a signature. The signature proves (1) the message has not been tampered with, and (2) it came from someone who knows the shared secret. Defined in RFC 2104.
▶What is the difference between HMAC and a hash?
A hash (SHA-256) requires no key — anyone can compute the same hash for the same message. An HMAC requires a secret key — only parties with the key can compute valid HMACs. Use hash to verify data integrity; use HMAC to verify authenticity (who sent the data).
▶What is HMAC-SHA256?
HMAC using SHA-256 as the underlying hash function. Produces a 256-bit (64 hex characters) output. The current standard for webhook verification and API signing — used by Stripe, Shopify, Slack, GitHub, Discord, Twilio.
▶Is my secret key safe to enter here?
Yes. The tool computes HMAC entirely in your browser using Web Crypto API. Keys and messages never leave your device. Safe for production webhook secrets, AWS keys, and other sensitive secrets. Verify with DevTools Network tab.
▶Which HMAC variant should I use?
HMAC-SHA256 is the modern default. Use it unless your target API specifies otherwise. AWS Signature V4 requires SHA-256. Legacy systems may still require SHA-1 (GitHub v1 webhooks, OAuth 1.0a). Avoid HMAC-MD5 — broken.
▶Why do webhooks need HMAC verification?
Without verification, anyone could POST fake webhook data to your endpoint, triggering unauthorized actions (fake payments, fake orders, etc.). HMAC ensures only the legitimate sender (with the secret key) can produce valid signatures.
▶How long should my secret key be?
32 bytes (256 bits) for HMAC-SHA256 — matches the hash output size. Generate from a CSPRNG (not a password). Use a password manager or secret manager to store. Rotate periodically.
▶What happens if signatures do not match?
Reject the request. In webhook handlers, return 401 Unauthorized. Log the failed attempt (useful for debugging, security monitoring). Do not process the webhook — it may be a forgery attempt.
▶Why use constant-time comparison?
String comparison with == short-circuits on first difference, leaking timing info to attackers who can guess signatures character by character. Constant-time comparison (crypto.timingSafeEqual, hmac.compare_digest) takes same time regardless of where difference is, defeating timing attacks.
▶Can HMAC be cracked?
Not practically with modern hash functions (SHA-256, SHA-512). Brute-forcing a 256-bit output would take more operations than atoms in the universe. HMAC-SHA256 with a proper random key is cryptographically secure.
Additional resources
- RFC 2104 — HMAC — Official IETF HMAC specification.
- RFC 6234 — SHA-2 Hash — SHA-256, SHA-384, SHA-512 used in HMAC.
- Stripe Webhook Signatures — Real-world HMAC usage example.
- AWS Signature V4 — AWS API signing with HMAC chain.
- Web Crypto API — Browser API used by this tool.
Related tools
All Crypto & SecurityBase64 Encoder/Decoder
Encode and decode Base64 strings, files, and images instantly
Bcrypt Hash Generator
Hash passwords with bcrypt and verify existing hashes — configurable rounds
Hash Generator
Generate MD5, SHA-1, SHA-256, SHA-512 hashes for text and files
JWT Decoder
Decode and inspect JSON Web Token (JWT) headers, payloads, and signatures
JWT Generator
Create signed JSON Web Tokens (JWT) with custom claims — HS256, RS256, ES256
Password Generator
Generate strong, cryptographically secure random passwords
Learn more
Explore more tools
200+ free tools that run in your browser.
Browse all tools →