HMAC

HMAC Generator

Generate and verify HMAC-SHA-256/512 signatures locally.

Input

Uses Web Crypto API for local HMAC computation.

Message

Secret

Algorithm

Secret encoding

Output encoding

Expected signature (optional)

All calculations run locally in the browser.

Output

Inspect generated signature and verification state.

Generate a signature to see output.

Security note: secrets are not stored, but avoid exposing them in screenshots or clipboard history.

What

HMAC Generator definition

HMAC combines a secret key and a hash function to provide message integrity and authentication.

Cases

Use Cases

Reproduce webhook signatures

Debug API request signing

Compare expected signatures

How To

How to generate HMAC signatures

Provide message/key settings and compute a signature.

Enter message and secret

Input the message payload and the signing secret.

Choose options

Select algorithm and secret/output encoding.

Generate and verify

Generate the signature and optionally compare with an expected value.

Knowledge

Understanding HMAC

Purpose

HMAC proves both message integrity and shared-secret possession.

Construction

It applies a keyed hash construction over the message using SHA-256/512.

Verification

Constant-time comparison helps reduce timing side-channel leaks.

Encoding pitfalls

Different textual encodings can represent the same bytes differently.

Operational hardening

Combine key rotation, short validity windows, and replay protections for safer deployments.

FAQ

HMAC Generator FAQ

How is HMAC different from a plain hash?

HMAC uses a secret key, so attackers cannot recompute valid signatures without the key.

Which algorithm should I choose?

SHA-256 is usually sufficient; use SHA-512 when policy requires longer digests.

When should I switch output encoding?

Use the format required by your integration: hex, base64, or base64url.

How does verification work?

It compares generated and expected bytes with length checks and constant-time comparison.

Can I provide secret in base64?

Yes. Select Base64 secret encoding and it will decode before signing.

Is my input uploaded?

No. Everything runs in-browser.

Why do I get an invalid expected signature error?

The expected value must match the selected output encoding format.

Can I validate test vectors?

Yes. This tool is suitable for checking RFC-style known vectors.

Encode/Crypto Tools

View all →

Base64 Converter

Encode and Decode Base64 data.

URL Encoder / Decoder

Keep text from breaking URLs by safely encoding or decoding it.

URL Parser / Builder

Parse a URL into its parts and edit query parameters to generate a new URL.

Hash Generator

Create MD5, SHA-1, SHA-256, or SHA-512 digests locally from any text.