OnlineDevTool
Back to All Tools

HMAC Generator

Generate HMAC (Hash-based Message Authentication Code) signatures using SHA-256, SHA-512, and other algorithms. Your message and secret key never leave your browser.

Examples:

Privacy

All computation happens entirely in your browser via the Web Crypto API. Your message and key are never sent to any server.

What is HMAC?

HMAC (Hash-based Message Authentication Code) is a cryptographic technique that combines a cryptographic hash function with a secret key to produce a fixed-size authentication tag. It is defined in RFC 2104 and is widely used to verify both the integrity and authenticity of a message.

The HMAC formula is:

HMAC(K, m) = H((K' ⊕ opad) ‖ H((K' ⊕ ipad) ‖ m))

Where H is the hash function, K is the secret key, m is the message, and ipad / opad are fixed padding constants.

Common Use Cases

  • Webhook verification — GitHub, Stripe, Twilio, and other services sign webhook payloads with HMAC-SHA256 so receivers can verify the payload was not tampered with.
  • API request signing — AWS Signature Version 4, as well as many custom REST APIs, derive request signatures using HMAC to prevent replay and man-in-the-middle attacks.
  • JWT (JSON Web Tokens) — The HS256 / HS384 / HS512 algorithms in JWT are HMAC variants that sign the header+payload with a shared secret.
  • Session tokens & CSRF tokens — Frameworks use HMAC to bind a token to a user session, preventing forgery.

Choosing an Algorithm

AlgorithmOutput SizeNotes
HMAC-SHA-1160 bits (20 B)Legacy. Avoid for new systems.
HMAC-SHA-256256 bits (32 B)Recommended default. Used by most APIs.
HMAC-SHA-384384 bits (48 B)Higher security margin, less common.
HMAC-SHA-512512 bits (64 B)Maximum strength. Used for high-value data signing.

Output Encodings

  • Hex — Lower-case hexadecimal string. Most common in Unix tools and debugging. Double the byte count in characters.
  • Base64 — Standard RFC 4648 base64 with + and /. Common in HTTP headers and email.
  • Base64url — URL-safe variant replacing + with - and / with _, no padding. Used in JWTs and OAuth tokens.

Security Notes

  • HMAC is only as secure as the secrecy of the key. Use a sufficiently random key of at least 128 bits (16 bytes) for SHA-256.
  • Avoid comparing HMAC digests with a simple string equality operation in production code — use a constant-time comparison to prevent timing attacks.
  • The message encoding matters: signing the UTF-8 bytes of a string is different from signing its base64 representation. Both sides of a verification must use identical encoding.