What is HMAC used for?

HMAC is used for API authentication, webhook signature verification (e.g. Stripe, GitHub), JWT signing, and verifying data integrity between two parties that share a secret key.

Is my data uploaded to a server?

No. All HMAC computation runs locally in your browser using the Web Crypto API (SubtleCrypto). Your message and secret key never leave your device.

Which algorithm should I choose?

SHA-256 is the most widely supported and recommended for most use cases. Use SHA-512 when you need extra security margin. Avoid SHA-1 for new systems — it is considered weak.

What is the difference between Hex and Base64 output?

Both represent the same HMAC value in different encodings. Hex uses lowercase hexadecimal characters (0–9, a–f). Base64 is more compact. Base64url is the URL-safe variant used in JWTs (replaces + with - and / with _).

🔐

HMAC Generator

Generate HMAC signatures using SHA-1, SHA-256, SHA-384 and SHA-512 algorithms. Runs entirely in your browser — no data sent to any server.

🔒 Security Tools Free Browser-based

Tool

Message

Secret Key

Algorithm

What is HMAC?

HMAC (Hash-based Message Authentication Code) is a cryptographic technique that combines a secret key with a hash function to produce a unique signature for a message. It is widely used for API authentication, webhook verification and data integrity checks.

Algorithm Comparison

Algorithm	Output Length	Security Level	Common Use
HMAC-SHA-1	160 bits / 20 bytes	Moderate	Legacy systems
HMAC-SHA-256	256 bits / 32 bytes	Strong	JWT, API signatures
HMAC-SHA-384	384 bits / 48 bytes	Very Strong	High-security APIs
HMAC-SHA-512	512 bits / 64 bytes	Very Strong	Sensitive data signing

How It Works

HMAC combines your secret key and message through two rounds of hashing: HMAC(key, msg) = H((key ⊕ opad) ∥ H((key ⊕ ipad) ∥ msg)). Even a tiny change in the message or key produces a completely different signature — making it tamper-proof.

HMAC Generator

What is HMAC?

Algorithm Comparison

How It Works

Frequently Asked Questions