Enter a message and a secret key, choose a hash algorithm, and get the HMAC as a hex digest. HMAC proves that a message came from someone who knows the key and that it wasn’t altered — it’s what signs API requests and webhooks. The message and key stay in your browser and are never sent anywhere.
Enter a secret key to generate the HMAC.
Computed with the Web Crypto API in your browser. The message and key are never uploaded.
How it works
HMAC combines your key with the message through the chosen hash function twice, in a specific inner/outer construction (defined by RFC 2104). The result depends on both the message and the key: change either by one character and the whole digest changes. Anyone with the same key can recompute it to verify the message, but without the key it can’t be forged.
The tool uses the Web Crypto API (SubtleCrypto) for the actual signing, so it relies on the browser’s vetted cryptographic implementation rather than hand-rolled code. Pick SHA-256 unless a system specifies otherwise — it’s the common default. The digest length depends on the algorithm: SHA-256 gives 64 hex characters, SHA-512 gives 128.
Practical examples
Verifying a webhook signature
Services like payment providers sign each webhook by taking HMAC-SHA256 of the request body with your shared secret. Paste the body and the secret, pick SHA-256, and compare the result to the signature header to confirm the request is genuine.
A quick test vector
Message “The quick brown fox jumps over the lazy dog” with key “key” and SHA-256 gives f7bc83f4…2d1a3cd8 — a well-known vector you can use to check any HMAC implementation.
Signing an API request
Many APIs want HMAC of a canonical string (method + path + timestamp) under your API secret. Build that string, sign it here to see the expected value, and match it against what your code produces.
Frequently asked questions
What is the difference between HMAC and a plain hash?
A plain hash (like SHA-256) depends only on the input, so anyone can compute it. HMAC also mixes in a secret key, so only someone who knows the key can produce or verify it. That makes HMAC suitable for authentication, not just integrity.
Which algorithm should I use?
HMAC-SHA256 is the sensible default and what most APIs expect. Use SHA-384 or SHA-512 if a specification calls for them. Avoid HMAC-SHA1 for new systems — it’s offered here for compatibility with older ones, since HMAC-SHA1 is still considered safe but SHA-1 is being retired.
Is HMAC encryption?
No. HMAC is a one-way authentication code — you cannot recover the message from it. It proves authenticity and integrity, but it does not hide the message. Use encryption if you need confidentiality.
Why does an empty key give no result?
HMAC requires a key, so the tool waits until you enter one. In practice you should always use a strong, secret key — an empty or guessable key defeats the purpose of authentication.
Does the key length matter?
Longer, random keys are stronger. HMAC accepts keys of any length (internally hashing keys longer than the block size), but for security the key should be at least as long as the hash output and generated randomly, not a dictionary word.
Is my key or message sent to a server?
No. Everything is computed with the Web Crypto API inside your browser. Nothing you type is uploaded and analytics never receives it — which is exactly what you want for a secret key.
Why might my result differ from another tool?
Usually because of encoding or hidden characters. This tool treats the message and key as UTF-8 text. If the other side uses a base64- or hex-encoded key, or a different newline convention, the inputs differ and so will the HMAC.
What does the uppercase toggle do?
It only changes how the hex digest is displayed (A–F vs a–f). The value is identical either way; some systems expect uppercase hex, so the toggle saves you a manual conversion.
Can I use this to store passwords?
No. HMAC is not a password-hashing function. For storing passwords use a purpose-built, slow algorithm like bcrypt, scrypt or Argon2, which resist brute force. HMAC is for message authentication.
Related tools
Hash Generator
Generate SHA-1, SHA-256, SHA-384 and SHA-512 hashes of text in your browser using the Web Crypto API.
Developer tools
Base64 Encoder and Decoder
Encode text to Base64 or decode it back, UTF-8 safe and URL-safe tolerant. Runs entirely in your browser.
Developer tools
JWT Decoder
Decode a JWT to read its header and payload, with expiry and issued-at shown as dates. Local only — no signature verification.
Developer tools
JSON Formatter
Beautify, validate or minify JSON in your browser — with clear error messages. Nothing is uploaded.
Developer tools
JSON to CSV Converter
Convert a JSON array of objects into CSV, right in your browser. Choose the delimiter; nested values are kept as JSON.
Developer tools
CSV to JSON Converter
Convert CSV to JSON in your browser. Header-to-keys, custom delimiter and optional number/boolean parsing.
Developer tools