DevKits

HMAC Generator (SHA-1, SHA-256, SHA-384, SHA-512)

Compute HMAC signatures with SHA-1, SHA-256, SHA-384, or SHA-512. Used to verify API requests, sign webhooks, and authenticate messages.

Last updated:

Hex
Base64
Base64URL

Enter a message and secret key above, pick a hash (SHA-1/256/384/512), and get the HMAC signature instantly. Computed locally with the Web Crypto API — your secret never leaves the browser.

What is HMAC Generator?

HMAC (Hash-based Message Authentication Code) combines a message with a secret key through a hash function to produce a signature that proves both integrity (the message wasn't altered) and authenticity (it came from someone holding the secret). It's the mechanism behind webhook signatures (Stripe, GitHub, Slack), AWS Signature V4, and JWT's HS256. This tool computes HMAC digests for any message and key.

How to compute an HMAC signature

  1. 1Enter the message (the exact bytes you want to sign).
  2. 2Enter the secret key shared between sender and verifier.
  3. 3Select the hash algorithm — SHA-256 is the modern default.
  4. 4Copy the hex signature and compare it against the expected value, or send it in a signature header.

Use Cases

Verify incoming webhooks

Recompute the HMAC of a webhook body with the shared secret and compare it to the provider's signature header to confirm authenticity.

Sign API requests

Many APIs (including AWS SigV4) require an HMAC over the request. Test your signing logic against known values here.

Debug signature mismatches

When a webhook is rejected, compute the HMAC manually to find whether the body, encoding, or secret is the culprit.

Code Examples

HMAC in Node.js

import { createHmac } from "crypto";
const sig = createHmac("sha256", secret)
  .update(body)
  .digest("hex");

HMAC in Python

import hmac, hashlib
sig = hmac.new(secret.encode(), body.encode(), hashlib.sha256).hexdigest()

Key Concepts

Integrity + authenticity
HMAC proves the message wasn't tampered with AND that the sender knows the secret. A plain hash proves only integrity.
Constant-time comparison
When verifying, compare signatures with a timing-safe function (crypto.timingSafeEqual) to avoid leaking information through response timing.
Encoding matters
HMAC operates on bytes. A mismatch is often caused by signing the wrong string form — raw body vs parsed JSON, or the wrong character encoding.

Tips & Best Practices

  • Always sign the raw request body bytes, not a re-serialized version — re-serialization changes whitespace and breaks the signature.
  • Verify signatures with a constant-time comparison to prevent timing attacks.
  • SHA-256 is the safe default. SHA-1 HMAC is still cryptographically OK for HMAC but avoid it for new designs.
  • Keep the secret out of source control — load it from an environment variable or secrets manager.

Frequently Asked Questions

What is HMAC used for?

HMAC (Hash-based Message Authentication Code) combines a message with a secret key using a hash function. It's used to verify both integrity and authenticity of a message — e.g. signing webhook payloads (Stripe, GitHub, Slack) or API requests.

Which algorithm should I choose?

SHA-256 is the modern default (used by AWS SigV4, JWT HS256, most webhook signatures). SHA-1 is legacy but still common. SHA-384 and SHA-512 are used when a longer signature is required.

Is my secret sent anywhere?

No. HMAC is computed locally using the Web Crypto API. The secret never leaves your browser.

Related Tools