Security Tools

HMAC Generator: Create HMAC-SHA256 and HMAC-SHA512 Signatures Online

Generate HMAC-SHA256 and HMAC-SHA512 signatures for API authentication and data integrity verification — computed entirely in your browser.

Published January 15, 2025Updated June 1, 20255 min read

Try the free online tool

Runs entirely in your browser — no signup, no uploads.

Open Tool

HMAC — Hash-based Message Authentication Code — is a widely used cryptographic technique that combines a hash function with a secret key to produce a signature that verifies both the integrity and the authenticity of a message. Unlike a plain hash that anyone can compute, an HMAC can only be produced and verified by parties who possess the shared secret key. This makes it invaluable for API authentication, webhook verification, and secure message exchange.

HMAC-SHA256 and HMAC-SHA512 are the most common variants, using the SHA-256 and SHA-512 hash functions respectively. They are specified in RFC 2104 and used by virtually every major API: AWS Signature Version 4, GitHub webhook signatures, Stripe payment webhooks, JWT HS256/HS512 tokens, and countless others all rely on HMAC for their security.

This tool lets you generate HMAC signatures instantly by providing a message and a secret key. It runs entirely in your browser using the Web Crypto API — no keys or messages are sent to any server. Use it to generate test signatures while integrating an API, verify that your implementation produces correct output, or sign messages manually for debugging and troubleshooting.

What Is HMAC and How Does It Work?

HMAC (Hash-based Message Authentication Code) is a construction defined in RFC 2104 that uses a cryptographic hash function and a secret key to produce a fixed-length authentication code for a message. The construction is: HMAC(K, m) = H((K' XOR opad) || H((K' XOR ipad) || m)), where H is the hash function, K is the key, K' is the key padded to the hash block size, opad and ipad are fixed padding constants, and || denotes concatenation.

The critical security property of HMAC is that without knowledge of the secret key, an attacker cannot forge a valid HMAC for any message — not even if they have seen valid HMACs for many other messages. This is stronger than a plain hash, which anyone can compute. An HMAC simultaneously proves that the message has not been altered (integrity) and that it was produced by someone with the key (authenticity).

HMAC-SHA256 produces a 256-bit (32-byte) authentication code, typically encoded as a 64-character hex string or a 44-character Base64 string. HMAC-SHA512 produces a 512-bit (64-byte) code. Both are considered secure; HMAC-SHA512 provides higher security margins and is faster on 64-bit hardware for large messages.

How to Use This Tool

Generating an HMAC signature requires a message and a secret key.

  1. 1

    Enter the message

    Type or paste the message you want to authenticate into the Message field. This is the data whose integrity and authenticity you want to guarantee — for example, an API request body, a webhook payload, or any string.

  2. 2

    Enter the secret key

    Type or paste the secret key into the Key field. This key must be kept confidential and shared only with parties who need to verify the HMAC. For security, use a randomly generated key of at least 32 bytes.

  3. 3

    Select the algorithm

    Choose HMAC-SHA256 or HMAC-SHA512. HMAC-SHA256 is the most widely supported and suitable for the vast majority of use cases. Use HMAC-SHA512 when a larger security margin or faster performance on large messages is desired.

  4. 4

    Choose output encoding

    Select Hex (lowercase hexadecimal) or Base64 as the output format. Many APIs specify which encoding they expect — AWS uses hex, for example, while many JWT libraries use Base64url.

  5. 5

    Copy the signature

    Click Generate and then Copy to use the HMAC signature. Compare it against the expected signature in your API or library to confirm your implementation is correct.

Common Use Cases

HMAC is used extensively across modern software systems for authentication and integrity verification.

  • Verifying webhook payloads from services like GitHub, Stripe, and Twilio — the service signs the request body with your shared secret, and your server verifies the signature before processing.
  • Implementing API request signing such as AWS Signature Version 4, where each request is signed with your secret access key to authenticate it without transmitting the key itself.
  • Generating and verifying JWT tokens with the HS256 or HS512 algorithm for stateless authentication in web applications and microservices.
  • Authenticating messages in inter-service communication within a microservices architecture where services share a secret key.
  • Debugging and validating HMAC implementations by comparing tool output against your code's output to pinpoint discrepancies in key encoding, message formatting, or algorithm selection.

Tips and Best Practices

Use HMAC correctly to get its full security benefits.

  • Use a randomly generated key of at least 256 bits (32 bytes) — this matches the security level of HMAC-SHA256. A short or predictable key drastically weakens the scheme.
  • Rotate HMAC keys periodically and immediately upon suspected compromise. Design your system to support key rotation with minimal downtime.
  • Never include the HMAC key in client-side code, mobile apps, or public repositories. Keys must remain on the server side only.
  • When verifying an HMAC, use a constant-time comparison function to prevent timing side-channel attacks that could leak information about the correct signature.
  • HMAC provides integrity and authenticity but not confidentiality — the message itself is not encrypted. If you need to keep the message contents secret, encrypt it before or after signing.

Security Considerations

The security of HMAC depends entirely on the secrecy of the key. If the key is compromised, an attacker can forge valid HMACs for any message. Treat HMAC keys with the same care as passwords — store them in environment variables or secrets management systems, never in source code.

This tool runs client-side and never transmits your key or message to any server. However, be cautious when generating HMAC signatures for production keys on shared or untrusted devices. For production workflows, generate signatures programmatically on your server where the key is already securely stored.

Frequently Asked Questions

What is the difference between HMAC and a regular hash?

A regular hash (like SHA-256) of a message can be computed by anyone — it proves integrity but not authenticity. HMAC adds a secret key to the computation, so only parties with the key can produce or verify the code. This makes HMAC a Message Authentication Code (MAC), not just a checksum.

Is HMAC-SHA256 or HMAC-SHA512 more secure?

Both are secure for current applications. HMAC-SHA256 provides 128-bit security (collision resistance), and HMAC-SHA512 provides 256-bit security. The difference is theoretical for practical purposes — neither is broken. Use HMAC-SHA512 if your threat model requires post-quantum safety margins or if you are hashing very large messages on 64-bit hardware where SHA-512 is faster.

Can HMAC be used for password hashing?

No. HMAC is fast by design, which makes it a poor choice for password hashing where slowness is a security feature. Use bcrypt, scrypt, or Argon2 for password hashing. HMAC is designed for authenticating messages and API requests, not for protecting stored credentials.

What should I use as the HMAC key?

Use a cryptographically random key of at least 32 bytes (256 bits) for HMAC-SHA256. Generate it using a CSPRNG — a secure random token generator tool or `openssl rand -hex 32` on the command line. Never use passwords, usernames, or other predictable values as HMAC keys.

How do I verify a webhook HMAC signature?

Compute HMAC-SHA256 (or whatever algorithm the service specifies) of the raw request body using your shared secret as the key, then compare the result against the signature provided in the request header using a constant-time comparison. If they match, the webhook is authentic.

What encoding should I use for HMAC output — hex or Base64?

It depends on the API or protocol you are working with. AWS Signature V4 uses lowercase hex. GitHub webhook signatures use hex prefixed with 'sha256='. JWT HS256 uses Base64url (a variant of Base64 with URL-safe characters and no padding). Check the documentation for whatever system you are integrating with.

Does this tool send my secret key to a server?

No. The HMAC computation happens entirely in your browser using the Web Crypto API. Neither the message nor the key is transmitted anywhere. You can confirm this by inspecting the Network tab in browser DevTools while using the tool.

HMACHMAC-SHA256API authenticationmessage authenticationdata integrity

Ready to use this tool?

Free, instant, no account required. Runs entirely in your browser.

Open Tool

More Security Tools Guides

Password Generator: Create Cryptographically Secure Passwords Online

5 min read

Password Strength Checker: How to Evaluate and Improve Your Password

5 min read

Hash Generator: Create MD5, SHA-256, and SHA-512 Hashes Online

5 min read

Hash Compare: Verify File and Data Integrity by Comparing Hashes

4 min read