100% Client-Side 🔖 Bookmark this project

HMAC Generator

Generate HMAC message authentication codes — SHA256, SHA512, SHA1, MD5

Free Client-Side No Login No Storage
Loading tool...
SHA-256 Hash Generator Generate SHA-256 cryptographic hashes instantly — Hex or Base64 output SHA-512 Hash Generator Generate SHA-512 cryptographic hashes — stronger than SHA-256 AES Encryption Tool Encrypt text with AES-128, 192, or 256-bit keys — 100% client-side Hash Comparator & Verifier Compare and verify hash values — MD5, SHA-256, SHA-512 and more

How to Use the HMAC Generator

  1. Enter the message you want to authenticate.
  2. Enter a secret key shared between sender and receiver.
  3. Select the hash algorithm (SHA-256, SHA-512, SHA-1, SHA-3, or MD5).
  4. Choose Hex or Base64 output format.
  5. Click Generate HMAC to produce the authentication code.

HMAC (Hash-based Message Authentication Code) provides message integrity and authenticity. It combines a cryptographic hash function with a secret key, making it resistant to length-extension attacks.

What is HMAC?

HMAC (Hash-based Message Authentication Code) is a specific construction for creating a message authentication code using a cryptographic hash function (SHA-256, SHA-512, etc.) combined with a secret key. It provides both data integrity (the message wasn't changed) and authenticity (it came from someone who knows the key).

Common Uses

  • API request signing — verify that requests come from authorised clients
  • Webhook payload verification (GitHub, Stripe, and others use HMAC-SHA256)
  • JWT signature generation (HS256 = HMAC with SHA-256)
  • Verifying file downloads haven't been tampered with

Frequently Asked Questions

What is the difference between HMAC and a regular hash?

A regular hash (SHA-256) of a message can be computed by anyone. An HMAC requires a secret key, so only parties who know the key can produce or verify the MAC. This prevents attackers from forging valid hashes.

How do I verify a GitHub webhook with HMAC?

GitHub signs webhook payloads with HMAC-SHA256 using your webhook secret as the key. Compute HMAC-SHA256 of the raw request body with your secret, prefix it with "sha256=", and compare it to the X-Hub-Signature-256 header using a constant-time comparison.

Which hash algorithm should I use with HMAC?

HMAC-SHA256 is the most common and recommended choice. It offers a good balance of security and performance. HMAC-SHA512 provides a longer MAC but is rarely needed. Avoid HMAC-MD5 and HMAC-SHA1 for new systems.