HMAC Generator

Generate HMAC (Hash-based Message Authentication Code) signatures using the Web Crypto API. All processing happens in your browser.

Character count: 0

HMAC Signature:

HMAC-SHA-256 (Hex)

0 characters

Generate an HMAC to see output...

HMAC Use Cases

HMAC is widely used for webhook signature verification (Stripe, GitHub, Slack), API request authentication, and ensuring message integrity. It combines a secret key with the message to produce a unique signature that only parties with the key can verify.

Security Note

Keep your secret keys secure and never expose them in client-side code or version control. Use environment variables and secure key management practices. Rotate keys periodically and use sufficiently long, random keys for production use.

Keyboard Shortcuts:

  • Ctrl/Cmd + Enter - Generate HMAC

Privacy: All HMAC generation happens locally using the native crypto.subtle.importKey() and crypto.subtle.sign() APIs. No data is sent to any server.

About HMAC (Hash-based Message Authentication Code)

HMAC is a specific type of message authentication code that uses a cryptographic hash function combined with a secret key. Unlike plain hashing, HMAC provides both data integrity and authentication, ensuring that a message has not been tampered with and was sent by someone who possesses the shared secret key.

Supported Algorithms:

  • HMAC-SHA-256 - 256-bit output (most common)
  • HMAC-SHA-384 - 384-bit output (high security)
  • HMAC-SHA-512 - 512-bit output (maximum security)

Common Use Cases:

  • Webhook signature verification (Stripe, GitHub, Slack)
  • API request authentication
  • Message integrity verification
  • JWT (JSON Web Token) signing
  • Session token generation
  • Secure cookie signing

How HMAC Differs from Plain Hashing:

Authentication: HMAC uses a secret key, so only parties who know the key can generate or verify the signature. Plain hashes can be computed by anyone.

Tamper resistance: An attacker cannot modify the message and recompute the HMAC without knowing the secret key, unlike plain hashes where anyone can compute a new hash for a modified message.

Length extension protection: HMAC is resistant to length extension attacks that can affect plain hash functions like SHA-256 when used naively for authentication.

Standardized construction: HMAC follows the formula HMAC(K, m) = H((K' ⊕ opad) || H((K' ⊕ ipad) || m)), providing a proven security guarantee.

Security Note: Never expose secret keys in client-side code, version control, or logs. Use environment variables and secure key management systems for production applications. Keys should be sufficiently long (at least 256 bits) and generated using a cryptographically secure random number generator. Rotate keys periodically and have a key revocation plan in place.