HMAC Generator

Generate hash-based message authentication codes securely

Share:

Free HMAC Generator Online

Create cryptographic message authentication codes with multiple algorithms

Our free HMAC Generator creates Hash-based Message Authentication Codes using industry-standard algorithms (SHA-256, SHA-384, SHA-512, SHA-1). HMAC provides both data integrity and message authentication — ensuring data hasn't been tampered with and verifying the sender's identity. Generate HMACs in hex or Base64 format using the Web Crypto API for secure, browser-based processing.

🔐 What is HMAC?

HMAC (Hash-based Message Authentication Code) is a cryptographic mechanism defined in RFC 2104 that combines a hash function with a secret key to produce a message authentication code. Unlike a simple hash (like SHA-256 of a message), HMAC uses a shared secret key — meaning only parties who know the key can generate or verify the code. This provides two security properties: integrity (detecting if the message was modified) and authenticity (confirming the message came from the expected sender). HMAC is used extensively in API authentication (AWS, Stripe), webhook verification, JWT signing, and secure communications.

🛠️ How to Generate an HMAC

  1. 1 Enter the message you want to authenticate — this can be any text, JSON payload, or data string.
  2. 2 Enter your secret key — this shared key must be known by both the sender and receiver.
  3. 3 Select the hash algorithm (SHA-256 recommended for most applications, SHA-512 for maximum security).
  4. 4 Choose the output format: Hexadecimal (common in APIs) or Base64 (more compact).
  5. 5 Click 'Generate HMAC' to create the authentication code using the Web Crypto API.

✨ Key Features

Multiple Hash Algorithms

Support for SHA-256, SHA-384, SHA-512, and SHA-1. Choose the algorithm that matches your application's security requirements and API specifications.

Hex & Base64 Output

Generate HMAC in hexadecimal format (common in API signatures) or Base64 format (more compact) depending on your use case.

Web Crypto API

Uses the browser's built-in Web Crypto API for cryptographically secure HMAC generation — no external libraries needed.

🎯 Common Use Cases

🌐 API Authentication

Generate HMAC signatures for API request authentication. Services like AWS, Stripe, and Shopify use HMAC to verify that API requests come from authorized parties and haven't been modified in transit.

🔔 Webhook Verification

Verify incoming webhooks from services like GitHub, Stripe, and Twilio. These services sign webhook payloads with HMAC — compare the provided signature with your own HMAC to verify authenticity.

🛡️ Data Integrity

Ensure data hasn't been tampered with during transmission or storage. Generate an HMAC when sending data and verify it upon receipt to detect any modifications.

🔑 JWT Signing

HMAC-SHA algorithms (HS256, HS384, HS512) are the most common JWT signing methods. Understand HMAC to debug and validate JWT signatures in your authentication systems.

💡 HMAC Best Practices

  • Use SHA-256 or SHA-512 for new applications — avoid SHA-1 as it has known weaknesses (though HMAC-SHA1 is still considered secure, newer algorithms are preferred).
  • Use a key at least as long as the hash output — 256 bits (32 bytes) for SHA-256, 512 bits (64 bytes) for SHA-512.
  • Never reuse HMAC keys across different applications or services — each service should have its own unique key.
  • When verifying HMACs, use constant-time comparison to prevent timing attacks (e.g., crypto.timingSafeEqual in Node.js).
  • Include timestamps or nonces in HMAC messages to prevent replay attacks.
  • Store secret keys securely using environment variables or secrets managers — never hardcode them in source code.

❓ Frequently Asked Questions

What's the difference between HMAC and a regular hash?

A regular hash (like SHA-256) only provides integrity — anyone can compute it. HMAC combines a hash with a secret key, providing both integrity AND authenticity — only parties who know the secret key can generate or verify the HMAC. This is why HMAC is used for authentication while regular hashes are used for checksums.

Which HMAC algorithm should I use?

SHA-256 (HMAC-SHA256) is the most widely used and recommended for most applications. SHA-512 provides stronger security for high-security requirements. SHA-384 offers a middle ground. Avoid SHA-1 for new applications, though HMAC-SHA1 is still considered cryptographically secure.

Is HMAC-SHA1 still secure?

Yes, HMAC-SHA1 is still considered cryptographically secure because HMAC's security depends on the key, not just the hash function. However, for new applications, use HMAC-SHA256 or HMAC-SHA512 as they provide stronger security margins and are recommended by NIST.

How is HMAC used in API authentication?

In API authentication, the client creates an HMAC of the request content (URL, headers, body, timestamp) using a shared secret key and includes it as a header (e.g., X-Signature). The server independently computes the same HMAC and compares it. If they match, the request is authentic and unmodified.

Is my secret key safe using this tool?

Yes. All HMAC generation is performed entirely in your browser using the Web Crypto API. Your secret key and message data are never sent to any server. However, for production applications, always generate HMACs server-side where secret keys can be stored securely.