Documentation
How to use this tool, practical use cases, and technical notes.
The HMAC Generator is designed for immediate use with zero configuration. A typical HMAC can be generated in under 30 seconds. Here is a complete walkthrough of every feature and option.
Step 1 — Select Your Algorithm
At the top of the tool workspace, choose between:
HMAC-SHA256 — 256-bit digest; the correct default for nearly all modern use cases
HMAC-SHA512 — 512-bit digest; select this only if your protocol or API specification requires it
When in doubt, use HMAC-SHA256. It is the algorithm specified by:
AWS Signature Version 4
GitHub webhook secret verification
Stripe webhook verification
Slack Events API signature verification
RFC 7519 JWT algorithm
HS256
Use HMAC-SHA512 when your specification calls for it (JWT HS512, certain financial or government APIs).
Step 2 — Enter Your Message
Paste or type the exact message bytes you want to authenticate into the Message field. The message is the data whose integrity you want to protect — for example:
Use Case | What Goes in the Message Field |
|---|---|
Webhook verification | The raw request body (exactly as received, before any parsing) |
API request signing | The canonical request string as defined by the API spec (e.g., AWS canonical request) |
JWT payload signing | The Base64URL-encoded header + "." + Base64URL-encoded payload |
Simple test | Any plaintext string |
File integrity | A string representation of file metadata or content |
Critical: Message content must be byte-for-byte identical to what the receiving party will compute the HMAC over. A single extra space, a different line ending (\n vs \r\n), or URL-encoding differences will produce a completely different digest.
Step 3 — Enter Your Secret Key
Enter your Secret Key in the Secret Key field. This is the shared secret that both the sender and recipient must possess to produce and verify the same HMAC.
Key Type | Example | Notes |
|---|---|---|
Plaintext string |
| Common for webhooks; store in env vars, never hardcoded |
Random hex string |
| Higher entropy; used in AWS, JWT secrets |
Base64-encoded key |
| Ensure consistent encoding between sender and verifier |
Long passphrase |
| Acceptable if sufficiently long (32+ chars recommended) |
Key length guidance by algorithm:
Algorithm | Minimum Recommended Key Length | Optimal Key Length | Effect of Shorter Key |
|---|---|---|---|
HMAC-SHA256 | 16 bytes (128 bits) | 32 bytes (256 bits) | Reduced security margin |
HMAC-SHA512 | 32 bytes (256 bits) | 64 bytes (512 bits) | Reduced security margin |
Keys longer than the hash block size are hashed down automatically by the HMAC construction — there is no benefit to keys longer than 64 bytes (SHA-256) or 128 bytes (SHA-512).
Step 4 — Choose Your Output Encoding
Select the output format using the hex / base64 toggle:
hex — Produces a lowercase hexadecimal string. Example:
2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824base64 — Produces a Base64-encoded string. Example:
LPJNul+wow4m6DsqxbninhsWHlwfp0JecwQzYpOLmCQ=
Match this to what your receiving system expects. Most API documentation specifies the encoding format explicitly.
Step 5 — Generate or Use Live Mode
The tool offers two generation modes:
Mode | Behavior | Best For |
|---|---|---|
Manual (Generate button) | Computes the HMAC only when you click Generate | Deliberate, one-shot generation |
Live mode | Recomputes the HMAC in real time as you type | Interactive debugging; watching how output changes |
Enable Live mode to see the digest update character-by-character as you type — useful for understanding that even a single character change in the message or key produces a completely different digest (the avalanche effect).
Step 6 — Use the Quick Examples
The tool includes three pre-loaded quick examples to get started immediately:
Example Label | Message Content | Typical Use Case |
|---|---|---|
API request body |
| Simulating JSON body signing for REST API authentication |
Webhook payload |
| Simulating form-encoded webhook payload verification |
Simple test |
| Basic HMAC behavior demonstration |
Click any quick example to populate the message field instantly, then add your own secret key and generate.
Step 7 — Read and Use the Output
The HMAC digest appears in the output panel labeled with the algorithm and encoding (e.g., HMAC-SHA256 (HEX)). Copy this value and use it per your implementation:
Integration | How to Use the Output |
|---|---|
Webhook sender | Send as |
JWT signing | The digest forms the signature portion of the JWT token |
API request header | Include as |
Comparison/verification | Compare byte-by-byte (or use constant-time comparison) with received digest |
Step 8 — Clear and Reset
Click the Clear button to wipe the message, secret key, and output fields simultaneously. Always clear the tool after working with real secrets on a shared or semi-trusted machine.
Interpreting Output: The Avalanche Effect
A key property of cryptographic hash functions (and therefore HMAC) is the avalanche effect: a tiny input change produces a radically different output. You can observe this with the Live mode:
Input State | Example HMAC-SHA256 Output (hex, key="secret") |
|---|---|
Message: |
|
Message: |
|
Message: |
|
This demonstrates why byte-exact message handling is critical for HMAC verification.
The HMAC Generator is designed for immediate use with zero configuration. A typical HMAC can be generated in under 30 seconds. Here is a complete walkthrough of every feature and option.
Step 1 — Select Your Algorithm
At the top of the tool workspace, choose between:
HMAC-SHA256 — 256-bit digest; the correct default for nearly all modern use cases
HMAC-SHA512 — 512-bit digest; select this only if your protocol or API specification requires it
When in doubt, use HMAC-SHA256. It is the algorithm specified by:
AWS Signature Version 4
GitHub webhook secret verification
Stripe webhook verification
Slack Events API signature verification
RFC 7519 JWT algorithm
HS256
Use HMAC-SHA512 when your specification calls for it (JWT HS512, certain financial or government APIs).
Step 2 — Enter Your Message
Paste or type the exact message bytes you want to authenticate into the Message field. The message is the data whose integrity you want to protect — for example:
Use Case | What Goes in the Message Field |
|---|---|
Webhook verification | The raw request body (exactly as received, before any parsing) |
API request signing | The canonical request string as defined by the API spec (e.g., AWS canonical request) |
JWT payload signing | The Base64URL-encoded header + "." + Base64URL-encoded payload |
Simple test | Any plaintext string |
File integrity | A string representation of file metadata or content |
Critical: Message content must be byte-for-byte identical to what the receiving party will compute the HMAC over. A single extra space, a different line ending (\n vs \r\n), or URL-encoding differences will produce a completely different digest.
Step 3 — Enter Your Secret Key
Enter your Secret Key in the Secret Key field. This is the shared secret that both the sender and recipient must possess to produce and verify the same HMAC.
Key Type | Example | Notes |
|---|---|---|
Plaintext string |
| Common for webhooks; store in env vars, never hardcoded |
Random hex string |
| Higher entropy; used in AWS, JWT secrets |
Base64-encoded key |
| Ensure consistent encoding between sender and verifier |
Long passphrase |
| Acceptable if sufficiently long (32+ chars recommended) |
Key length guidance by algorithm:
Algorithm | Minimum Recommended Key Length | Optimal Key Length | Effect of Shorter Key |
|---|---|---|---|
HMAC-SHA256 | 16 bytes (128 bits) | 32 bytes (256 bits) | Reduced security margin |
HMAC-SHA512 | 32 bytes (256 bits) | 64 bytes (512 bits) | Reduced security margin |
Keys longer than the hash block size are hashed down automatically by the HMAC construction — there is no benefit to keys longer than 64 bytes (SHA-256) or 128 bytes (SHA-512).
Step 4 — Choose Your Output Encoding
Select the output format using the hex / base64 toggle:
hex — Produces a lowercase hexadecimal string. Example:
2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824base64 — Produces a Base64-encoded string. Example:
LPJNul+wow4m6DsqxbninhsWHlwfp0JecwQzYpOLmCQ=
Match this to what your receiving system expects. Most API documentation specifies the encoding format explicitly.
Step 5 — Generate or Use Live Mode
The tool offers two generation modes:
Mode | Behavior | Best For |
|---|---|---|
Manual (Generate button) | Computes the HMAC only when you click Generate | Deliberate, one-shot generation |
Live mode | Recomputes the HMAC in real time as you type | Interactive debugging; watching how output changes |
Enable Live mode to see the digest update character-by-character as you type — useful for understanding that even a single character change in the message or key produces a completely different digest (the avalanche effect).
Step 6 — Use the Quick Examples
The tool includes three pre-loaded quick examples to get started immediately:
Example Label | Message Content | Typical Use Case |
|---|---|---|
API request body |
| Simulating JSON body signing for REST API authentication |
Webhook payload |
| Simulating form-encoded webhook payload verification |
Simple test |
| Basic HMAC behavior demonstration |
Click any quick example to populate the message field instantly, then add your own secret key and generate.
Step 7 — Read and Use the Output
The HMAC digest appears in the output panel labeled with the algorithm and encoding (e.g., HMAC-SHA256 (HEX)). Copy this value and use it per your implementation:
Integration | How to Use the Output |
|---|---|
Webhook sender | Send as |
JWT signing | The digest forms the signature portion of the JWT token |
API request header | Include as |
Comparison/verification | Compare byte-by-byte (or use constant-time comparison) with received digest |
Step 8 — Clear and Reset
Click the Clear button to wipe the message, secret key, and output fields simultaneously. Always clear the tool after working with real secrets on a shared or semi-trusted machine.
Interpreting Output: The Avalanche Effect
A key property of cryptographic hash functions (and therefore HMAC) is the avalanche effect: a tiny input change produces a radically different output. You can observe this with the Live mode:
Input State | Example HMAC-SHA256 Output (hex, key="secret") |
|---|---|
Message: |
|
Message: |
|
Message: |
|
This demonstrates why byte-exact message handling is critical for HMAC verification.