HMAC Generator

Parameters
HMAC Result 0 chars
What is HMAC?

HMAC (Hash-based Message Authentication Code) is a mechanism for message authentication using a cryptographic hash function and a secret key.

HMAC provides both data integrity and source authentication.

Algorithms
SHA-256
256-bit output. Standard for most applications.
SHA-384
384-bit output. Enhanced security.
SHA-512
512-bit output. Maximum security.
Use Cases
  • API request signing
  • Webhook verification
  • Message authentication
  • JWT signatures
  • Data protection

What HMAC Adds Over a Plain Hash

A hash tells you data was not corrupted; an HMAC tells you it was not corrupted and was produced by someone holding the secret key. That is why webhook signatures (Stripe, GitHub) and API request signing use HMAC-SHA256 rather than a bare hash - naively hashing secret+message is vulnerable to length-extension attacks, which the HMAC construction was designed to close. The construction, the attack and the verification pitfalls (timing-safe comparison above all) are covered in HMAC explained.

Computation happens in your browser through the Web Crypto API, so keys never leave the page. The nested structure looks like this:

HMAC(K, m) = H((K' ⊕ opad) || H((K' ⊕ ipad) || m))
  • K - secret key
  • m - message
  • H - cryptographic hash function (SHA-256, SHA-512)
  • K' - key padded to block size
  • opad - outer padding (0x5c repeated)
  • ipad - inner padding (0x36 repeated)
  • - XOR operation
  • || - concatenation

HMAC Questions

API authentication (AWS, Stripe use it), webhook verification, message integrity. It proves both that the message wasn't tampered with AND that it came from someone who knows the secret key.

Regular hash proves integrity only. HMAC proves integrity AND authenticity - only someone with the secret key could have created it. That's why it's used for API signatures.

SHA-256 is standard. SHA-512 if you want extra security. SHA-384 is rarely used but supported. Don't use MD5 or SHA-1 for new projects.

Yes, everything runs in your browser. Check the Network tab - nothing is sent to any server. But don't use production secrets in any web tool as a general practice.