2026topopentools

HMAC Generator

Generate an HMAC signature from a message and secret key using SHA-1, SHA-256, SHA-384, or SHA-512 — output as Hex or Base64, all computed privately in your browser.

Output encoding
Your HMAC appears here…

Everything runs locally in your browser using the Web Crypto API — your message and secret key are never uploaded to a server.

Understanding the HMAC Generator

An online HMAC (Hash-based Message Authentication Code) generator that creates digital signatures from a message and secret key using SHA-1, SHA-256, SHA-384, or SHA-512 algorithms. Output can be encoded as hexadecimal or Base64. Designed for developers verifying API webhooks, signing requests, or validating message authenticity. All computation happens client-side via the Web Crypto API—your secret key and message never leave your browser.

How it works

The tool leverages the browser's native Web Crypto API (crypto.subtle) to perform cryptographic operations. It encodes your message and secret key as UTF-8 text, imports the secret as an HMAC key, and signs the message using your chosen hash algorithm (SHA-1, SHA-256, SHA-384, or SHA-512). The resulting signature is then converted to either hexadecimal (base-16) or Base64 (base-64) encoding for portability. This browser-native approach ensures no data is transmitted to servers.

HMAC(K, M) = H((K' ⊕ opad) ∥ H((K' ⊕ ipad) ∥ M)) where K is the secret key, M is the message, H is the chosen hash function (SHA-256, etc.), K' is the key padded to block size, ipad is 0x36 repeated, and opad is 0x5C repeated.

Worked example

Message: 'hello' | Secret: 'mykey' | Algorithm: SHA-256 | Encoding: Hex → Output: '2d4ffbf29737e53c9c48a74d18f60d7fcb0d70ee2e15aa93b4e9b28a2d0ec47f'. The same message and secret with SHA-256 always produces this exact output; changing any input (message, key, or algorithm) produces a completely different signature.

Tips & common mistakes

  • Use SHA-256 as your default for modern APIs and webhooks—it balances security and performance. SHA-1 is included for legacy system compatibility but should not be used for new designs.
  • Your secret key is case-sensitive and even whitespace matters. 'key' and 'key ' (with a trailing space) produce different HMACs.
  • Hex encoding is human-readable and commonly used in logs; Base64 is more compact and preferred for transmission in JSON or binary protocols.
  • The HMAC output length depends on the algorithm: SHA-1 produces 40 hex chars, SHA-256 produces 64 hex chars, SHA-384 produces 96 hex chars, and SHA-512 produces 128 hex chars.
  • If you're validating webhook signatures from an API, ensure you use the exact same algorithm and encoding the API provider specifies, or the signatures will not match.
  • Browser support: Works in all modern browsers (Chrome, Firefox, Safari, Edge) via the Web Crypto API. Older browsers will show an error message.

Related tools

JSON Formatter & ValidatorFormat, beautify, minify, and validate JSON with clear error messages.Base64 Encode / DecodeEncode text to Base64 or decode Base64 back to text, with full Unicode support.URL Encode / DecodePercent-encode or decode text for safe use in URLs and query strings.Hash GeneratorGenerate MD5, SHA-1, SHA-256, and SHA-512 hashes from any text.

Frequently Asked Questions

What is HMAC?

HMAC (Hash-based Message Authentication Code) is a keyed hash used to verify both the integrity and authenticity of a message. It combines your message with a secret key and a hash function, so only someone with the same key can produce or validate the same signature.

Which hash algorithms are supported?

You can generate HMACs with SHA-1, SHA-256, SHA-384, and SHA-512. SHA-256 is the most common default for APIs and webhooks. SHA-1 is offered for compatibility with older systems but is no longer recommended for new designs.

Is my secret key sent anywhere?

No. The HMAC is computed entirely in your browser using the native Web Crypto API. Your message and secret key never leave your device and nothing is uploaded to a server.