Skip to content
1001 Tools
sr
Developer tools

HMAC Generator

Enter a message and a secret key, choose a hash algorithm, and get the HMAC as a hex digest. HMAC proves that a message came from someone who knows the key and that it wasn’t altered — it’s what signs API requests and webhooks. The message and key stay in your browser and are never sent anywhere.

Enter a secret key to generate the HMAC.

Computed with the Web Crypto API in your browser. The message and key are never uploaded.

How it works

HMAC combines your key with the message through the chosen hash function twice, in a specific inner/outer construction (defined by RFC 2104). The result depends on both the message and the key: change either by one character and the whole digest changes. Anyone with the same key can recompute it to verify the message, but without the key it can’t be forged.

The tool uses the Web Crypto API (SubtleCrypto) for the actual signing, so it relies on the browser’s vetted cryptographic implementation rather than hand-rolled code. Pick SHA-256 unless a system specifies otherwise — it’s the common default. The digest length depends on the algorithm: SHA-256 gives 64 hex characters, SHA-512 gives 128.

Practical examples

Verifying a webhook signature

Services like payment providers sign each webhook by taking HMAC-SHA256 of the request body with your shared secret. Paste the body and the secret, pick SHA-256, and compare the result to the signature header to confirm the request is genuine.

A quick test vector

Message “The quick brown fox jumps over the lazy dog” with key “key” and SHA-256 gives f7bc83f4…2d1a3cd8 — a well-known vector you can use to check any HMAC implementation.

Signing an API request

Many APIs want HMAC of a canonical string (method + path + timestamp) under your API secret. Build that string, sign it here to see the expected value, and match it against what your code produces.

Frequently asked questions

What is the difference between HMAC and a plain hash?

A plain hash (like SHA-256) depends only on the input, so anyone can compute it. HMAC also mixes in a secret key, so only someone who knows the key can produce or verify it. That makes HMAC suitable for authentication, not just integrity.

Which algorithm should I use?

HMAC-SHA256 is the sensible default and what most APIs expect. Use SHA-384 or SHA-512 if a specification calls for them. Avoid HMAC-SHA1 for new systems — it’s offered here for compatibility with older ones, since HMAC-SHA1 is still considered safe but SHA-1 is being retired.

Is HMAC encryption?

No. HMAC is a one-way authentication code — you cannot recover the message from it. It proves authenticity and integrity, but it does not hide the message. Use encryption if you need confidentiality.

Why does an empty key give no result?

HMAC requires a key, so the tool waits until you enter one. In practice you should always use a strong, secret key — an empty or guessable key defeats the purpose of authentication.

Does the key length matter?

Longer, random keys are stronger. HMAC accepts keys of any length (internally hashing keys longer than the block size), but for security the key should be at least as long as the hash output and generated randomly, not a dictionary word.

Is my key or message sent to a server?

No. Everything is computed with the Web Crypto API inside your browser. Nothing you type is uploaded and analytics never receives it — which is exactly what you want for a secret key.

Why might my result differ from another tool?

Usually because of encoding or hidden characters. This tool treats the message and key as UTF-8 text. If the other side uses a base64- or hex-encoded key, or a different newline convention, the inputs differ and so will the HMAC.

What does the uppercase toggle do?

It only changes how the hex digest is displayed (A–F vs a–f). The value is identical either way; some systems expect uppercase hex, so the toggle saves you a manual conversion.

Can I use this to store passwords?

No. HMAC is not a password-hashing function. For storing passwords use a purpose-built, slow algorithm like bcrypt, scrypt or Argon2, which resist brute force. HMAC is for message authentication.

Related tools