HMAC (Hash-based Message Authentication Code) combines a cryptographic hash with a secret key to authenticate messages. Defined in RFC 2104.

No. HMAC authenticates — anyone with the key can verify or produce a tag, but the message itself is not hidden.

100% browser-based · SHA-1/256/384/512 · Web Crypto

HMAC Generator

Generate a Hash-based Message Authentication Code (HMAC) using a secret key and any SHA variant. HMACs are how APIs sign requests, how JWTs are validated, and how webhooks verify their sender. Uses the browser native crypto.subtle API — your key never leaves the page.

Message

Secret key & output

Secret key

Algorithm

Letter case

HMAC digest (hex)

—

Behaviour

Auto-signRe-run on every change to message, key, or algorithm

Plain SHA-256

Message size

0 B

Tag size

0 B

Length

—

Status

Ready

Example

Message + secret = HMAC

HMAC mixes the secret key into the hash so only someone with the key can produce the same tag.

Message

Hello, world!
key: secret-key
algo: HMAC-SHA-256

HMAC-SHA-256 (hex)

1cea08fd2a3d2c2c50a76d228a0d3aa57e34bf9c0b3f8d3fdcd9c5e3a1d6f12c

Use cases

Where HMAC is used

HMAC is the workhorse of API authentication and webhook verification.

Webhook signing

Stripe, GitHub, and most providers sign webhook payloads with HMAC-SHA-256.

API auth

AWS Signature v4, request signing for many APIs.

JWT (HS256)

The "HS256" JWT family uses HMAC-SHA-256 to sign tokens.

Session tokens

Stateless sessions with tamper-proof signatures.

Step by step

How to generate an HMAC

Paste your message

The exact bytes that will be signed.

Enter the secret key

A shared secret known to both sender and receiver.

Pick the algorithm

HMAC-SHA-256 is the modern default.

Click Generate

Copy the hex tag. Both sides must use exact same bytes.

FAQ

Frequently asked questions

What is HMAC?

HMAC (RFC 2104) is Hash-based Message Authentication Code. It combines a cryptographic hash function with a shared secret key to authenticate the integrity and origin of a message.

Is HMAC encryption?

No. HMAC authenticates — it proves the message hasn't been altered and was created by someone with the key. The message itself is not hidden.

Which algorithm should I use?

HMAC-SHA-256 is the modern default. Use HMAC-SHA-384 or HMAC-SHA-512 for larger security margins. Avoid HMAC-SHA-1 except for legacy compatibility.

How long should the key be?

Recommended at least 256 bits (32 bytes) of random data for HMAC-SHA-256. Random URL-safe strings work well. Avoid passwords.

Is it free?

Yes. Runs entirely in your browser via Web Crypto. No signup, no upload, no logs.

About

About HMAC

HMAC (RFC 2104) is a construction for producing a Message Authentication Code from a cryptographic hash function and a shared secret key. It is the basis of webhook signing, JWT HS-family tokens, AWS Signature v4, and countless API authentication schemes.

How HMAC works

The secret key is XORed with two pad constants (ipad and opad).
The hash function is applied twice — inner and outer — protecting against length-extension attacks.
The output is a fixed-size tag (same size as the underlying hash digest).

Choosing an algorithm

HMAC-SHA-256 — the modern default. Stripe, GitHub, Slack, JWT HS256.
HMAC-SHA-384 / HMAC-SHA-512 — JWT HS384/HS512, larger margin.
HMAC-SHA-1 — legacy (AWS v2, older webhooks). Avoid for new designs.