HMAC Generator
Compute the HMAC of a message with a secret key. Supports MD5, SHA-1, SHA-256, and SHA-512.
—
About HMAC Generator
HMAC (Hash-based Message Authentication Code) combines a secret key with a message and a cryptographic hash function to produce a signature. The signature proves that whoever generated it knew the key. HMAC is the standard way to authenticate webhook deliveries, sign API requests, and verify message integrity.
When to use it
- Computing the HMAC signature expected by an API (Stripe, GitHub webhooks, etc.)
- Verifying a webhook payload's authenticity
- Producing a tamper-evident token for a session or cookie
- Generating signed download URLs
How it works
The key and message are both encoded as UTF-8. HMAC is computed using the chosen hash algorithm (HMAC-SHA-256 by default). The result is the hex-encoded digest with the length determined by the underlying hash function (32 hex characters for MD5, 40 for SHA-1, 64 for SHA-256, 128 for SHA-512).
Examples
Key: secret Message: Hello, world! Algo: SHA-256
29f4f96d4c5d63adb33f8eb1ce47b6a5e0ed40c41cef1f73c2c08fd9af23717f
Frequently asked questions
- Which HMAC algorithm should I use?
- HMAC-SHA-256 is the modern default for new designs and what most APIs expect. HMAC-MD5 and HMAC-SHA-1 are still supported for legacy interop but should not be used in new code.
- Is the key sent anywhere?
- No. The HMAC is computed in your browser via WebAssembly; neither key nor message leaves your device.
- Why is HMAC needed if I have a hash?
- A plain hash of (key + message) is vulnerable to length-extension attacks for some algorithms. HMAC's design (two nested hashes with key XORs) is provably secure even when the underlying hash is, and is the right tool whenever you want a keyed signature.