HMAC Generator

What this tool does

This tool generates an HMAC — a Hash-based Message Authentication Code — for a message and a secret key. You type a message, enter the shared secret, and pick a hash algorithm (SHA-1, SHA-256, SHA-384, or SHA-512). The tool uses the browser’s built-in Web Crypto API to import the key and sign the message, then shows the resulting signature in two encodings: lowercase hexadecimal and base64. The signature updates automatically every time you change the message, the key, or the algorithm.

Why you might need it

HMAC is the standard way to prove that a message is genuine. Webhook providers sign each delivery with a secret so the receiver can confirm the request really came from them. APIs sign requests so a tampered or replayed call is rejected. Systems that exchange data across a network use HMAC to detect any change in transit, accidental or malicious. Whenever you are building or debugging one of these integrations, you need to compute an HMAC by hand to compare against what the other side produced — this tool does exactly that, instantly and locally.

How to use it

1. Choose the hash algorithm the system you are working with expects.
2. Type or paste the message to be signed.
3. Enter the secret key — the same secret both sides share.
4. The HMAC appears below as soon as both fields have content.
5. Copy the Hex or Base64 form with the button on its row.

Common pitfalls

The most common reason two HMACs disagree is a mismatch in the exact bytes being signed. A trailing newline, different line endings, extra whitespace, or a different character encoding all change the result completely — HMAC has no tolerance for “almost the same” input. When debugging, make sure the message here is byte-for-byte what the other system signs.

The key matters just as much. A leading or trailing space in the secret, or a key that is hex-encoded on one side but raw text on the other, produces a different signature. This tool treats the secret as raw UTF-8 text; if your system expects the key to be decoded from hex or base64 first, decode it before pasting it here.

Finally, do not confuse HMAC with encryption. It authenticates the message but leaves it fully readable. If the data itself must stay private, HMAC is not the tool for that job.

Tips and advanced use

To verify an incoming signature, compute the HMAC of the received message with the shared secret and compare it to the signature that was sent. If they match, the message is authentic and unmodified. In production code that comparison should be constant-time to avoid timing attacks, but for manual debugging a visual check of the hex strings is fine.

Pick the encoding that matches your target: many webhook signatures are sent as hex in a header, while others use base64. Both outputs here come from the same signature bytes, so you can switch between them freely. Because every byte of this computation happens in your browser, it is safe to test with real production secrets and payloads — nothing is uploaded, logged, or stored.