🔑 HMAC Generator

Generate HMAC signatures with SHA algorithms. Runs in your browser.

Hash Algorithm

Output Format

Message

Secret Key

Generated Signature

Enter a message and secret key to generate an HMAC signature.

Message bytes: 0 | Key bytes: 0

Optional: Compare with Expected Signature

No comparison yet.

What is an HMAC Generator?

An HMAC generator creates a Hash-based Message Authentication Code for a message and a secret key. HMAC is used when you need to prove both data integrity and authenticity. It answers two key questions: did anyone change this message, and was it signed with the correct shared secret? If either condition fails, the signature check fails.

Developers use HMAC signatures in API authentication, webhook security, signed URLs, token systems, and request validation. Instead of sending plain trust signals, systems compute a cryptographic signature from the exact request body plus a secret. The receiver computes the same value and compares. Matching values confirm that the payload was not modified in transit and that the sender likely had the secret key.

This tool helps you create and inspect HMAC signatures quickly while testing integrations. You can switch between SHA-1, SHA-256, SHA-384, and SHA-512, and choose output formats like hex, Base64, and Base64URL. Everything happens client-side, so your message and secret are processed in your browser only.

How to Use This Tool

Select the algorithm expected by your API or service, for example HMAC-SHA256.
Paste the exact message string that should be signed. Keep spacing and line breaks unchanged.
Enter the secret key used for signing.
Choose your output format, then click Generate to produce the signature.
Optionally paste an expected signature to compare and confirm you match a reference implementation.

Key Features

Supports four common algorithms: SHA-1, SHA-256, SHA-384, and SHA-512.
Multiple output encodings: Hex, Base64, and Base64URL.
Live generation on input change with debounce for smooth typing.
Expected-signature comparison to verify implementation correctness.
100% browser-based processing for privacy and local debugging.

Frequently Asked Questions

Is HMAC encryption?

No. HMAC is a message authentication mechanism, not encryption. It does not hide the message content. It produces a signature that can be checked with the same secret key.

Why does my signature not match server output?

The most common cause is message mismatch. Extra spaces, line breaks, different JSON key order, or encoding differences can change the signature. Ensure you sign the exact bytes the server expects.

Which algorithm should I use?

Use what your system requires. In most modern API workflows, HMAC-SHA256 is the standard default unless documentation specifies otherwise.

Is it safe to use this tool with secrets?

All computation is done in your browser with Web Crypto APIs. No secret data is uploaded by this page logic.