ByteJSON

HMAC Generator

Generate HMAC signatures using SHA-1, SHA-256, SHA-384, or SHA-512

What is HMAC Generator?

HMAC (Hash-based Message Authentication Code) is a cryptographic signature that verifies both the integrity and authenticity of a message. It uses a secret key combined with a hash function (SHA-256, SHA-512, etc.) to produce a unique signature. If even one character of the message or key changes, the HMAC output changes completely.

How to Use

  1. Enter the message you want to sign in the Message field
  2. Enter your secret key in the Secret Key field
  3. Select the hash algorithm (SHA-256 is recommended)
  4. Click Generate HMAC to produce the signature
  5. Copy the hex output and use it to verify message authenticity

Why Use This Tool?

Verify webhook signatures from Stripe, GitHub, Slack, etc.
Sign API requests for authentication
Ensure message integrity in data pipelines
All computation happens in your browser — secrets never leave your device

Tips & Best Practices

  • SHA-256 is the most commonly used algorithm for HMAC
  • Never share your secret key — it should be stored securely
  • HMAC is not encryption — it only verifies authenticity, not confidentiality
  • Use constant-time comparison when verifying HMACs in your code to prevent timing attacks
  • For webhook verification, always compare the full HMAC signature, not just a prefix

Frequently Asked Questions

What is HMAC used for?

HMAC is primarily used for message authentication and integrity verification. Common use cases include: verifying webhook payloads (Stripe, GitHub, Slack), signing API requests, authenticating JWT tokens, and ensuring data hasn't been tampered with in transit.

Which algorithm should I use?

SHA-256 is the standard choice and is recommended for most use cases. SHA-512 provides stronger security but produces longer signatures. SHA-1 is deprecated for security purposes but may be needed for legacy systems. Use SHA-256 unless you have a specific reason to choose otherwise.

Is HMAC the same as hashing?

No. Regular hashing (like SHA-256) produces the same output for the same input — anyone can compute it. HMAC requires a secret key, so only someone with the key can produce the correct signature. This makes HMAC suitable for authentication while plain hashing is not.

How do I verify a webhook signature?

Most webhook providers send an HMAC signature in a header (e.g., X-Signature-256). To verify: take the raw request body, compute the HMAC with your webhook secret using the same algorithm, and compare the result with the signature from the header. If they match, the webhook is authentic.

Is my secret key safe?

Yes. The HMAC is computed entirely in your browser using the Web Crypto API. Your message and secret key are never sent to any server. However, be cautious when using online tools on shared or public computers.

What's the difference between HMAC and digital signatures?

HMAC uses a shared secret key — both the sender and receiver must know the key. Digital signatures (RSA, ECDSA) use asymmetric keys — the sender signs with a private key, and anyone can verify with the public key. HMAC is simpler and faster but requires secure key distribution.

Related Tools

Hash GeneratorBase64 EncodeJWT DebuggerUUID Generator