Security
HMAC Generator
The HMAC Generator computes HMAC (Hash-based Message Authentication Code) digests for any message using a secret key and your choice of hash algorithm (HMAC-SHA256, HMAC-SHA512, HMAC-SHA1, HMAC-MD5). HMACs are used to authenticate API requests, verify webhook payloads, and sign JWT tokens. All computation runs in the browser using the Web Crypto API – your secret key is never transmitted.
What is HMAC?
HMAC (Hash-based Message Authentication Code) is a specific construction for creating a message authentication code (MAC) using a cryptographic hash function and a secret key. Defined in RFC 2104, HMAC provides both data integrity (detecting tampering) and authenticity (verifying the sender knows the shared secret key). Unlike a plain hash, an HMAC cannot be computed without knowledge of the secret key, so an attacker who intercepts the message cannot forge a valid HMAC. HMAC-SHA256 is the most widely used variant and is required by many APIs (AWS Signature V4, GitHub webhook verification, Stripe webhook signature, JWT HS256).
How does the tool work?
The tool implements the standard HMAC construction: if the key is longer than the hash block size, it is first hashed; if shorter, it is zero-padded to the block size. Two derived keys (inner and outer) are XORed with constant padding values (ipad and opad). The inner hash is computed as H(inner_key || message) and the outer hash as H(outer_key || inner_hash). The Web Crypto API's SubtleCrypto.sign() method handles this natively for HMAC-SHA1, HMAC-SHA256, HMAC-SHA384, and HMAC-SHA512. The output is displayed as hex, Base64, or Base64url as selected.
Typical Use Cases
- Verifying GitHub, Stripe, or Shopify webhook payloads by computing the expected HMAC-SHA256
- Generating the HMAC signature for AWS Signature Version 4 request signing
- Creating JWT tokens signed with HS256 (HMAC-SHA256) for testing
- Debugging API authentication by manually computing and comparing HMACs
Step-by-step Guide
- Step 1: Enter the message or payload to authenticate in the message field.
- Step 2: Enter the shared secret key in the key field.
- Step 3: Select the hash algorithm (HMAC-SHA256 is the most common).
- Step 4: Copy the HMAC digest in your preferred format (hex, Base64, Base64url).
Example
Input
Message: 'Hello' | Key: 'secret' | Algorithm: HMAC-SHA256
Output
88aab3ede8d3adf94d26ab90d3bafd4a2083070c3bcce9c014ee04a443847c0b
Tips & Notes
- Use HMAC-SHA256 by default – it is supported by virtually all platforms and is the industry standard for API authentication.
- The HMAC key should be a high-entropy random secret, not a password. Use the Token Generator to create a suitable key.
- Never compare HMACs with a simple string equality check in your code – always use a constant-time comparison function to prevent timing attacks.
Frequently Asked Questions
What is the difference between HMAC and a digital signature?
HMAC uses a symmetric shared secret key – both parties must know the same key. A digital signature (RSA, ECDSA) uses asymmetric key pairs – the sender signs with the private key and anyone with the public key can verify. HMACs are faster and simpler; digital signatures allow public verification without sharing a secret.
How does GitHub verify webhook payloads using HMAC?
GitHub computes HMAC-SHA256 of the raw request body using the webhook secret as the key and sends the result in the X-Hub-Signature-256 header. Your server should compute the same HMAC and compare it (in constant time) to verify the payload was not tampered with.
Can I use HMAC-MD5 for security-sensitive applications?
HMAC-MD5 is generally considered safe for MAC purposes (the HMAC construction mitigates MD5's collision vulnerabilities), but HMAC-SHA256 is strongly preferred and is required by most modern specifications. Use HMAC-MD5 only if interoperability with a legacy system requires it.
HMAC Generator
Compute a hash-based message authentication code (HMAC) using a secret key and your preferred hash function.
Open Tool