Security Tools
Developer ToolsHMAC Generator
Generate HMAC signatures using a secret key. Use HMAC-SHA256 or HMAC-SHA512 for best security.
Algorithm
HMAC Result
Enter message and key to generate HMAC
Note: For security-critical applications prefer HMAC-SHA256 or HMAC-SHA512.
Related Tools
About HMAC
How it works
HMAC combines a secret key with a hash function to produce a message authentication code. It ensures that a message comes from a party that knows the secret and that the message has not been tampered with.
This tool computes the HMAC locally in your browser.
Common use cases
- Signing API requests where both sides share a secret key
- Verifying message integrity between systems
- Creating simple message authentication for webhooks
Frequently Asked Questions
What is HMAC and when should I use it?
HMAC (Hash-based Message Authentication Code) is a mechanism for verifying both the integrity and authenticity of a message using a secret key and a hash function. Use it when two parties share a secret and need to ensure messages were not tampered with.
Which HMAC algorithms are supported?
This tool supports common algorithms including HMAC-SHA256, HMAC-SHA1, HMAC-SHA512, HMAC-SHA384, HMAC-SHA224 and HMAC-MD5. For best security choose HMAC-SHA256 or HMAC-SHA512.
Is my data sent to a server when generating HMACs?
No. All HMAC computation is performed locally in your browser. The input text and secret key are not transmitted to any server.
Can I verify an HMAC produced elsewhere using this tool?
Yes. Paste the message, the secret key, select the same algorithm, and compare the generated HMAC with the provided value. Use the copy feature to transfer values quickly.
What output formats are available?
This tool displays HMAC output as a hexadecimal string. You can copy the value to convert it to other formats using related tools like Base64 encoder/decoder.
Are some algorithms insecure?
MD5 is considered weak and should not be used for security-critical applications. Prefer HMAC-SHA256 or HMAC-SHA512 for robust security.
Can I use Unicode or binary data as input or key?
Yes. The tool accepts arbitrary text. Internally it encodes strings as UTF-8 before computing the HMAC. For binary keys or data, encode them into a textual form (e.g., Base64) before computing.
Does the tool support Web Crypto for better performance?
When available, the browser Web Crypto API is used for HMAC-SHA algorithms for better performance and security. Fallback libraries are used when Web Crypto is not available or the algorithm is not supported.
Can I use this for password storage?
No. HMAC is not a password hashing function. Use bcrypt, Argon2, or scrypt for password storage which are purposely slow and include salts.
What should I do if the generated HMAC does not match an expected value?
Double-check the secret key and algorithm. Ensure there are no extra whitespace characters and that both sides use the same text encoding (UTF-8). If still mismatching, verify input normalization (line endings).