Security Tools

HMAC Generator

Generate HMAC (Hash-based Message Authentication Code) for data integrity.

intermediate2-5 minutesRuns in your browser

Interactive workspace

Inputs stay on your device — nothing is sent to our servers unless you choose to share.

Client-side only
256-bit digest
Output:
HMAC-SHA256 (HEX)
HMAC digest appears here…

Quick examples

What is HMAC?

HMAC (Hash-based Message Authentication Code) combines a secret key with a hash function to verify message integrity and authenticity — commonly used in API signatures, JWTs, and webhooks.

Client-side only. Your secret key and message never leave this browser. Do not paste production secrets on shared machines.
HMAC verifies integrity with a shared secret — it is not encryption. Anyone with the secret can forge a valid digest.

Documentation

How to use this tool, practical use cases, and technical notes.

The HMAC Generator is designed for immediate use with zero configuration. A typical HMAC can be generated in under 30 seconds. Here is a complete walkthrough of every feature and option.


Step 1 — Select Your Algorithm

At the top of the tool workspace, choose between:

  • HMAC-SHA256 — 256-bit digest; the correct default for nearly all modern use cases

  • HMAC-SHA512 — 512-bit digest; select this only if your protocol or API specification requires it

When in doubt, use HMAC-SHA256. It is the algorithm specified by:

  • AWS Signature Version 4

  • GitHub webhook secret verification

  • Stripe webhook verification

  • Slack Events API signature verification

  • RFC 7519 JWT algorithm HS256

Use HMAC-SHA512 when your specification calls for it (JWT HS512, certain financial or government APIs).


Step 2 — Enter Your Message

Paste or type the exact message bytes you want to authenticate into the Message field. The message is the data whose integrity you want to protect — for example:

Use Case

What Goes in the Message Field

Webhook verification

The raw request body (exactly as received, before any parsing)

API request signing

The canonical request string as defined by the API spec (e.g., AWS canonical request)

JWT payload signing

The Base64URL-encoded header + "." + Base64URL-encoded payload

Simple test

Any plaintext string

File integrity

A string representation of file metadata or content

Critical: Message content must be byte-for-byte identical to what the receiving party will compute the HMAC over. A single extra space, a different line ending (\n vs \r\n), or URL-encoding differences will produce a completely different digest.


Step 3 — Enter Your Secret Key

Enter your Secret Key in the Secret Key field. This is the shared secret that both the sender and recipient must possess to produce and verify the same HMAC.

Key Type

Example

Notes

Plaintext string

my-webhook-secret-key

Common for webhooks; store in env vars, never hardcoded

Random hex string

a3f8c2e1...

Higher entropy; used in AWS, JWT secrets

Base64-encoded key

c2VjcmV0...

Ensure consistent encoding between sender and verifier

Long passphrase

correct-horse-battery-staple-2024

Acceptable if sufficiently long (32+ chars recommended)

Key length guidance by algorithm:

Algorithm

Minimum Recommended Key Length

Optimal Key Length

Effect of Shorter Key

HMAC-SHA256

16 bytes (128 bits)

32 bytes (256 bits)

Reduced security margin

HMAC-SHA512

32 bytes (256 bits)

64 bytes (512 bits)

Reduced security margin

Keys longer than the hash block size are hashed down automatically by the HMAC construction — there is no benefit to keys longer than 64 bytes (SHA-256) or 128 bytes (SHA-512).


Step 4 — Choose Your Output Encoding

Select the output format using the hex / base64 toggle:

  • hex — Produces a lowercase hexadecimal string. Example: 2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824

  • base64 — Produces a Base64-encoded string. Example: LPJNul+wow4m6DsqxbninhsWHlwfp0JecwQzYpOLmCQ=

Match this to what your receiving system expects. Most API documentation specifies the encoding format explicitly.


Step 5 — Generate or Use Live Mode

The tool offers two generation modes:

Mode

Behavior

Best For

Manual (Generate button)

Computes the HMAC only when you click Generate

Deliberate, one-shot generation

Live mode

Recomputes the HMAC in real time as you type

Interactive debugging; watching how output changes

Enable Live mode to see the digest update character-by-character as you type — useful for understanding that even a single character change in the message or key produces a completely different digest (the avalanche effect).


Step 6 — Use the Quick Examples

The tool includes three pre-loaded quick examples to get started immediately:

Example Label

Message Content

Typical Use Case

API request body

{"user":"admin","action":"login"}

Simulating JSON body signing for REST API authentication

Webhook payload

event=payment.completed&amount=99.00

Simulating form-encoded webhook payload verification

Simple test

The quick brown fox

Basic HMAC behavior demonstration

Click any quick example to populate the message field instantly, then add your own secret key and generate.


Step 7 — Read and Use the Output

The HMAC digest appears in the output panel labeled with the algorithm and encoding (e.g., HMAC-SHA256 (HEX)). Copy this value and use it per your implementation:

Integration

How to Use the Output

Webhook sender

Send as X-Hub-Signature-256: sha256=<hex-digest> HTTP header

JWT signing

The digest forms the signature portion of the JWT token

API request header

Include as Authorization: HMAC <hex-digest> or per API spec

Comparison/verification

Compare byte-by-byte (or use constant-time comparison) with received digest


Step 8 — Clear and Reset

Click the Clear button to wipe the message, secret key, and output fields simultaneously. Always clear the tool after working with real secrets on a shared or semi-trusted machine.


Interpreting Output: The Avalanche Effect

A key property of cryptographic hash functions (and therefore HMAC) is the avalanche effect: a tiny input change produces a radically different output. You can observe this with the Live mode:

Input State

Example HMAC-SHA256 Output (hex, key="secret")

Message: hello

88aab3ede8d3adf94d26ab90d3bafd4a2083070c3bcce9c014ee04a443847c0b

Message: Hello (capital H)

f5ac33f290ec95ef0ffb4f6e90af8c0a5a49a50b3b2e95e6a8cd6c6b2bf7e2a

Message: hello (trailing space)

5c3e6bcde3b58d5c0f0a1d5e9acf0f2b4f2a1d8a6c7e2b3d4e5f6a7b8c9d0e1

This demonstrates why byte-exact message handling is critical for HMAC verification.