Free Online HMAC Generator – SHA-256, SHA-512, SHA-384, SHA-1
Enter your message and secret key, pick an algorithm, and get your HMAC signature instantly.
What is HMAC?
HMAC (Hash-based Message Authentication Code) is a cryptographic technique that combines a secret key with a message and a hash function to produce a unique fixed-length signature. It proves both the integrity (the message wasn't altered) and authenticity (the sender knows the secret key) of the data.
HMAC is standardised in RFC 2104 and is used in HTTPS, JWTs, API authentication, webhook verification, OAuth, and more. Unlike plain hashing (SHA-256 alone), HMAC cannot be replicated without knowing the secret key — making it significantly more secure for authentication purposes.
Algorithm Comparison
| Algorithm | Output Size | Security Level | Best Use Case |
|---|---|---|---|
| HMAC-SHA-256 | 256 bits / 64 hex chars | ✅ Strong — Recommended | General purpose, APIs, JWTs, webhooks |
| HMAC-SHA-384 | 384 bits / 96 hex chars | ✅ Very Strong | High-security applications, compliance |
| HMAC-SHA-512 | 512 bits / 128 hex chars | ✅ Maximum | Highest security needs, long-term storage |
| HMAC-SHA-1 | 160 bits / 40 hex chars | ⚠️ Legacy only | Legacy systems, GitHub webhooks (old format) |
How to Use This HMAC Generator
Type or paste the message or data payload you want to authenticate.
Provide your secret key. This must match exactly on both sender and receiver sides. Use the eye icon to toggle visibility.
Select SHA-256 (recommended), SHA-384, SHA-512, or SHA-1 for legacy systems.
Pick Hex, Base64, or Base64url output format depending on your system's requirements.
Click "Generate HMAC" or enable Live Mode for instant real-time generation as you type.
Copy the HMAC signature and use it in your API header, webhook, or JWT.
Who Uses HMAC?
Sign API requests with HMAC so servers can verify the request came from a legitimate client with the correct key.
GitHub, Stripe, Shopify, and most platforms send HMAC signatures with webhooks so you can verify the payload isn't forged.
HMAC-SHA256 is the most common algorithm for signing JSON Web Tokens (HS256 in JWT spec).
Verify that files or messages haven't been tampered with during transmission — any change invalidates the HMAC.
Test and verify HMAC implementations in your codebase, compare outputs across languages and libraries.
Quickly generate test HMAC values during development without writing code. Ctrl+Enter to generate instantly.
Frequently Asked Questions
Is my message and secret key sent to any server?
window.crypto.subtle Web Crypto API — a native, sandboxed cryptography engine built into every modern browser. Your message and secret key never leave your device. See our Zero Data Storage Policy.What is the difference between HMAC and a plain hash (SHA-256)?
Which algorithm should I use?
When should I use Hex vs Base64 vs Base64url output?
+// with -/_ and strips padding — use it for JWTs, URL parameters, and anywhere the standard Base64 characters would need escaping.How do I verify a webhook HMAC signature?
What is Live Mode?
Ctrl+Enter / Cmd+Enter to generate manually.