HMAC (Hash-based Message Authentication Code) combines a cryptographic hash function with a secret key to produce a message authentication code. It is used to verify both the integrity and authenticity of a message. This tool generates HMAC digests using SHA-256, SHA-384, and SHA-512 algorithms - all computed locally in your browser using the Web Crypto API.
Key length: 13 chars, 13 bytes
| Algorithm | Digest Size | Block Size | Common Usage |
|---|---|---|---|
| HMAC-SHA256 | 32 bytes | 64 bytes | Most common. Used in JWT (HS256), AWS Signature V4 |
| HMAC-SHA384 | 48 bytes | 128 bytes | TLS 1.3, higher security margin |
| HMAC-SHA512 | 64 bytes | 128 bytes | Maximum security, PBKDF2 key derivation |
Enter your message in the input field and your secret key in the key field. Select the hash algorithm - SHA-256, SHA-384, or SHA-512. Click 'Generate HMAC' to compute the authentication code. The output is displayed in hexadecimal format by default, with an option to switch to Base64 encoding. You can compare a computed HMAC against an expected value using the verification mode, which performs a constant-time comparison to prevent timing attacks.
HMAC generation is critical for signing API requests (used by AWS, Stripe, GitHub webhooks, and many other platforms), verifying webhook payload authenticity by comparing the HMAC in the request header with a locally computed one, implementing secure session tokens and cookie signatures, ensuring data integrity in message queues and event-driven architectures, creating tamper-proof URLs with expiration parameters, and building custom authentication protocols for microservices communication.
HMAC is defined in RFC 2104 and FIPS 198-1. The algorithm works by XORing the key with inner and outer padding constants, then performing two rounds of hashing: H(K XOR opad || H(K XOR ipad || message)). If the key is longer than the hash block size, it is first hashed to reduce it. SHA-256 produces a 256-bit (32-byte) HMAC, SHA-384 produces 384-bit (48-byte), and SHA-512 produces 512-bit (64-byte). This tool uses the Web Crypto API's crypto.subtle.importKey() and crypto.subtle.sign() methods for native, hardware-accelerated HMAC computation.
HMAC combines a hash function with a secret key, so only parties who possess the key can generate or verify the code. A regular hash like SHA-256 can be computed by anyone, offering integrity but not authenticity. HMAC provides both, ensuring the message was not tampered with and came from someone who knows the key.
SHA-256 is the most widely used and recommended for most applications. SHA-384 and SHA-512 offer larger digest sizes for higher security margins. Choose based on your platform's requirements - most API providers (AWS, Stripe, GitHub) use HMAC-SHA-256.
Extract the signature from the webhook request header (e.g., X-Hub-Signature-256), compute the HMAC of the raw request body using your webhook secret key, and compare the two values. Use a constant-time comparison function to prevent timing attacks. If the values match, the payload is authentic.
Decode Base64 strings back to viewable and downloadable images.
Generate salted SHA-256 and SHA-512 hashes with configurable iteration count using the Web Crypto API.
Generate MD5, SHA-1, SHA-256, and SHA-512 hashes from any text input.
Transform, format, generate, and encode data instantly. Private, fast, and always free.
Browse All Tools