HMAC Generator
Generate HMAC signatures using SHA-256, SHA-384, or SHA-512. Uses the browser's native Web Crypto API — no data is sent anywhere.
About the HMAC Generator
HMAC (Hash-based Message Authentication Code) is a mechanism for verifying both the integrity and authenticity of a message. It combines a cryptographic hash function (SHA-256, SHA-384, or SHA-512) with a secret key to produce a fixed-length digest. Anyone with the same key can recompute the HMAC and verify that the message has not been tampered with.
HMACs are used extensively in API authentication — webhook signatures (Stripe, GitHub, Shopify all use HMAC-SHA256), JWT signatures in symmetric mode (HS256 = HMAC-SHA256), signed cookies, and request signing in cloud services (AWS Signature Version 4 uses HMAC-SHA256 chained multiple times). The output format — hex or Base64 — depends on the API or protocol you are working with.
All computation runs locally using the browser's native Web Crypto API (crypto.subtle.sign). Your message and secret key are never transmitted.
Frequently Asked Questions
What is the difference between HMAC and a regular hash?
A regular hash (SHA-256, MD5) is computed from the message alone — anyone can compute it. An HMAC requires a secret key, so only parties with the key can produce or verify a valid signature. This prevents tampering and ensures the message came from an authorized source.
Which algorithm should I use — SHA-256, SHA-384, or SHA-512?
HMAC-SHA256 is the most widely used and is sufficient for most applications. SHA-384 and SHA-512 produce longer digests and are used when higher security margins are required. All three are considered secure — the choice is usually dictated by the API or protocol you are integrating with.
How do I use HMAC to verify a webhook?
Compute HMAC-SHA256 of the raw request body using the webhook secret as the key. Compare the result (hex-encoded) to the signature in the request header. Use a constant-time comparison to prevent timing attacks. Most platforms (Stripe, GitHub, Shopify) document this exact process.
Is hex or Base64 output better?
It depends on the system consuming the HMAC. APIs typically specify which format they expect. Hex is easier to read and debug; Base64 is more compact (approximately 33% shorter). Both represent the same underlying bytes.