HMAC Generator

Generate HMAC (Hash-based Message Authentication Code) using SHA-256, SHA-512, or SHA-384. Output in Hex, Base64, or URL-safe Base64URL format. Built-in HMAC verification tool. Auto-generates a secure random key. Explains how HMAC works and shows common use cases: webhook verification (GitHub, Stripe), AWS API signing, JWT HS256/HS512.

How HMAC Works

HMAC = hash(secret + message). It ensures both authenticity (only someone with the secret key could have created it) and integrity (message hasn't been tampered with). Unlike a regular hash, HMAC requires a shared secret key.

Algorithms Supported

SHA-256: 256-bit output, standard for most APIs (GitHub, Stripe, AWS). SHA-512: 512-bit output, stronger security margin. SHA-384: 384-bit output, truncated SHA-512.

Output Formats

Hex: Hexadecimal string (64 chars for SHA-256). Base64: Standard Base64 encoding (44 chars for SHA-256). Base64URL: URL-safe Base64 (replaces + with -, / with _, no padding).

Use Cases

Webhook verification: GitHub, Stripe, and other services sign webhook payloads with HMAC to verify authenticity. API authentication: AWS Signature V4 uses HMAC-SHA256. JWT: HS256 and HS512 algorithms use HMAC. Data integrity: Verify files or messages haven't been tampered with.

HMAC Verification

Paste your HMAC output and the tool will verify if it matches the expected signature for your message and secret key. Helps debug API signing issues.