Text to hash
HMAC

About the HMAC Generator

What is an HMAC?

HMAC (Hash-based Message Authentication Code) combines a cryptographic hash with a secret key to produce a keyed fingerprint. Anyone who knows the key can compute or verify it, but without the key you cannot forge one. This tool generates an HMAC of your text or a file using SHA-256, SHA-1, SHA-384 or SHA-512, with SHA-256 the usual choice.

HMAC is everywhere in web development: it signs API requests, verifies webhook payloads so you know they really came from the sender, protects session cookies and creates the signature part of JWT tokens. Because it uses a shared secret, it proves both that a message is intact and that it came from someone who holds the key. This tool computes it with your browser's native Web Crypto implementation, so your key and message never leave your device.

How to Use This Tool

  1. Enter your input. Type or paste text on the Text tab, or switch to the File tab and drop in a file. The HMAC appears instantly.
  2. Add your key and options. Enter your secret key, then type or paste the message (or switch to the File tab). Pick the algorithm and the HMAC updates instantly.
  3. Verify a value. Paste an expected signature into the compare box and the tool tells you instantly whether it matches.
  4. Copy the result. One click copies the HMAC to your clipboard.

Common Use Cases

  • Verifying webhooks: services like Stripe and GitHub sign webhook payloads with HMAC-SHA256; recompute the signature to confirm authenticity.
  • Signing API requests: many APIs authenticate each request with an HMAC of the request and a secret key.
  • JWT tokens: the HS256 algorithm in JSON Web Tokens is HMAC-SHA256 over the header and payload.
  • Message integrity: attach an HMAC so the recipient can detect any tampering in transit.

Frequently Asked Questions

What is the difference between a hash and an HMAC?

A plain hash like SHA-256 only proves data has not changed; anyone can compute it. An HMAC mixes in a secret key, so it also proves the message came from someone who knows that key. That makes HMAC suitable for authentication, where a bare hash is not.

What is HMAC-SHA256?

HMAC-SHA256 is an HMAC built on the SHA-256 hash. It is the most common variant by far, used for API signing, webhooks and JWT (where it is called HS256). Select it from the Algorithm dropdown, enter your key, and the signature updates as you type.

Is HMAC encryption?

No. HMAC does not hide your message; it produces a signature that proves integrity and authenticity. The original data is not contained in or recoverable from the HMAC. If you need to keep data secret, that is encryption, which is a separate thing.

How do I verify an HMAC signature?

Compute the HMAC of the received message with the shared secret key and compare it to the signature you were given. If they match exactly, the message is authentic and unchanged. Paste the expected value into the compare box here and the tool checks it for you.

Which hash should I use for HMAC?

SHA-256 is the standard choice and is what most APIs expect. Use SHA-384 or SHA-512 if a specification asks for them or you want a larger tag. HMAC-SHA1 is still seen in older systems but should be avoided for new designs.

Is my secret key kept private?

Yes. The HMAC is computed entirely in your browser using the Web Crypto API. Your key and message are never sent to our servers or stored anywhere.