HMAC Generator

Parameters
HMAC Result 0 chars
What is HMAC?

HMAC (Hash-based Message Authentication Code) is a mechanism for message authentication using a cryptographic hash function and a secret key.

HMAC provides both data integrity and source authentication.

Algorithms
SHA-256
256-bit output. Standard for most applications.
SHA-384
384-bit output. Enhanced security.
SHA-512
512-bit output. Maximum security.
Use Cases
  • API request signing
  • Webhook verification
  • Message authentication
  • JWT signatures
  • Data protection

Professional HMAC Generator

Generate HMAC (Hash-based Message Authentication Code) using SHA-256, SHA-384, and SHA-512 algorithms. Used for API request signing and data integrity verification.

Generator Features

  • Support for HMAC-SHA256, HMAC-SHA384, HMAC-SHA512
  • Output in Hex and Base64 formats
  • Random secret key generation
  • Instant calculation on input
  • Secure browser-based operation (Web Crypto API)

How HMAC Works

HMAC combines a hash function with a secret key to create a unique signature. Only parties knowing the secret key can create or verify the HMAC.

HMAC(K, m) = H((K' ⊕ opad) || H((K' ⊕ ipad) || m))
  • K - secret key
  • m - message
  • H - cryptographic hash function (SHA-256, SHA-512)
  • K' - key padded to block size
  • opad - outer padding (0x5c repeated)
  • ipad - inner padding (0x36 repeated)
  • - XOR operation
  • || - concatenation

Related Tools

Hash Generator Password Generator Base64 Encoder/Decoder JWT Decoder/Encoder

HMAC Questions

API authentication (AWS, Stripe use it), webhook verification, message integrity. It proves both that the message wasn't tampered with AND that it came from someone who knows the secret key.

Regular hash proves integrity only. HMAC proves integrity AND authenticity - only someone with the secret key could have created it. That's why it's used for API signatures.

SHA-256 is standard. SHA-512 if you want extra security. SHA-384 is rarely used but supported. Don't use MD5 or SHA-1 for new projects.

Yes, everything runs in your browser. Check the Network tab - nothing is sent to any server. But don't use production secrets in any web tool as a general practice.