HMAC Generator
Generate HMAC signatures with SHA-1, SHA-256, SHA-384, or SHA-512 using a secret key for API authentication, webhook verification, and message integrity checks.
What HMAC Generator Does
HMAC Generator is a free browser-based tool for creating HMAC signatures from a message and a shared secret key using algorithms such as SHA-1, SHA-256, SHA-384, and SHA-512. HMAC stands for Hash-based Message Authentication Code, and it is widely used in API authentication, webhook verification, signed requests, and any workflow where two systems need to prove that a message has not been changed and came from a party that knows the secret. Unlike a plain hash, an HMAC depends on both the message and the secret key. That difference matters because it turns the hash into a verification mechanism rather than just a digest. If the message changes or the wrong secret is used, the generated signature changes too. This is why HMAC appears in many production systems including payment gateways, cloud APIs, and webhook security flows. This tool is especially useful for developers and QA teams testing authentication logic. If a webhook signature does not match, you need a fast way to reproduce the expected HMAC with the same payload and secret. If an API requires signed requests, you may want to confirm the output format before implementing the logic in code. A browser-based tool makes those checks fast. The available algorithm selection is also practical because different platforms require different HMAC variants. SHA-256 is a common modern default, but some integrations still use SHA-1 or stronger SHA-512-based signatures. When used correctly, HMAC is one of the most useful building blocks in shared-secret security design. This generator makes it easier to test, verify, and understand those flows without writing a custom script every time.
Key Features
Multiple HMAC algorithms
Generate signatures with SHA-1, SHA-256, SHA-384, or SHA-512 depending on your integration requirements.
Shared-secret signature testing
Useful for reproducing signed message workflows used by APIs and webhooks.
Message and key input workflow
Lets you control the exact message and secret used in the generated signature during debugging.
Recent HMAC history
Stores a short local history of generated values for faster comparison in repeated test sessions.
Copy-ready output
Move the generated signature directly into your verification, testing, or documentation workflow.
Common Use Cases
Verifying a webhook signature
Developers can reproduce the expected signature and compare it with what the provider sent.Testing API request signing
Teams can verify whether their secret key and algorithm configuration produce the required HMAC output.Debugging integration mismatches
QA engineers can isolate whether an auth issue is caused by payload formatting, algorithm choice, or secret key usage.Learning message authentication concepts
Students and junior developers can see how shared-secret signatures differ from plain hashes.
5How to Use It
- 1Enter the messageProvide the exact payload or text that should be signed.
- 2Enter the secret keyAdd the shared secret used to generate the HMAC signature.
- 3Choose the algorithmSelect the HMAC variant required by your target system.
- 4Generate the HMACRun the generator and produce the signature from the message and secret.
- 5Compare or copy the resultUse the output in your verification flow, documentation, or debugging notes.
Developer Note
Furkan Beydemir - Frontend Developer
HMAC bugs are often tiny formatting bugs that take too long to spot. I built this generator so developers can reproduce signatures quickly and focus on the real integration mismatch.
Examples
Webhook verification sample
Input: Message: order=123 | Secret: webhook_secret | Algorithm: SHA-256
Output: A hex-encoded HMAC signature that can be compared with a provider header value.
Signed API request
Input: Message: GET:/v1/balance:1700000000 | Secret: api_shared_key
Output: A deterministic HMAC digest used to validate the request on the receiving side.
Algorithm comparison
Input: Same message and key with SHA-256 vs SHA-512
Output: Different valid HMAC outputs that illustrate how algorithm choice affects the signature.
Troubleshooting
My HMAC does not match the provider signature
Cause: The message body, secret key, algorithm, or formatting may differ from what the provider signed.
Fix: Verify the exact raw payload, encoding, key value, and algorithm requirement before comparing outputs again.
The same message generates different signatures elsewhere
Cause: Line endings, whitespace, character encoding, or message serialization may differ across systems.
Fix: Make sure both environments use the identical byte representation of the message before generating the HMAC.
I expected encryption instead of a signature
Cause: HMAC only authenticates and verifies integrity; it does not hide the underlying message.
Fix: Use encryption or transport security in addition to HMAC if the message contents must remain confidential.
FAQ
What is the difference between HMAC and a normal hash?
A normal hash depends only on the input message, while an HMAC depends on both the message and a secret key. That makes HMAC useful for message authenticity and integrity verification because only parties with the shared secret can reproduce the same signature reliably.
When is HMAC commonly used?
HMAC is commonly used in API authentication, webhook verification, signed callbacks, shared-secret request validation, and systems where two parties need to verify message integrity without exposing the secret directly. It is especially common in payment and infrastructure integrations.
Which HMAC algorithm should I choose?
Use the algorithm required by the system you are integrating with. SHA-256 is a common modern default, while some providers use SHA-1 for compatibility or SHA-512 for stronger output. The right choice is usually determined by the receiving service's documentation.
Does HMAC encrypt the message?
No. HMAC does not encrypt or hide the message contents. It only produces a signature used to verify integrity and shared-secret knowledge. If confidentiality is required, you still need transport security or encryption in addition to HMAC.
Why would two HMAC values differ for the same message?
Differences usually come from a changed secret key, altered whitespace or formatting in the message, encoding mismatches, or use of a different algorithm. Even small message changes can produce a totally different HMAC output.
Related Security and Networking
Related Security and Networking Tools
Explore more tools similar to hmac-generator in the Security and Networking category
- JavaScript Obfuscator - Obfuscate JavaScript code with configurable protection settings such as string array encoding, control-flow flattening, dead-code injection, and debug resistance.
- Email Validation - Validate email addresses for correct format, MX records, and disposable-domain risk. Useful for signup forms, outreach lists, and data cleanup workflows.
- SMTP Checker - Test SMTP host, port, username, and password details to verify whether a mail server accepts a connection with the credentials provided.
- DNS Lookup - Check DNS records for a domain, including A, AAAA, MX, TXT, CNAME, and SOA data. Useful for troubleshooting, migrations, email setup, and infrastructure audits.
- Whois Checker - Look up WHOIS details for a domain, including registrar, registration dates, and ownership-related records when publicly available. Useful for domain research, audits, and security checks.
- SSL Checker - Check SSL certificate details for a domain, including issuer, validity dates, protocol, cipher, and days remaining before expiration.
- WebSite Status - Check whether a website is online, review response status, response time, HTTPS presence, and basic server/security signals in one quick scan.
- User Agent Finder - View your browser's current user agent string instantly. Useful for compatibility checks, support tickets, QA workflows, and browser debugging.
- What Is My IP - Find your current public IP address along with approximate location, ISP, hostname, timezone, and related network details in one quick lookup.
- Decode/Encode JWT - Decode JWT header and payload data or create unsigned example tokens from JSON input for debugging, education, and authentication troubleshooting.
- Password Generator - Generate cryptographically secure random passwords with customizable length, character sets, and complexity requirements to protect your online accounts.
- CRC32 Generator - Generate CRC32 checksums for fast error detection and accidental corruption checks in file, network, and archival workflows.
- MD5 Generator - Generate MD5 hashes for non-security checks, legacy compatibility, and checksum-style workflows while keeping clear warnings about MD5 limitations.
- SHA256 Generator - Generate SHA-256 hashes from text input for integrity checks, signatures, fingerprints, and modern cryptographic workflows that need stronger hashing than MD5.
- Bcrypt Hash Generator - Generate and verify secure bcrypt password hashes with configurable salt rounds.
- SHA-1 Generator - Generate SHA-1 hashes for legacy systems and non-security purposes.
- SHA-512 Generator - Generate maximum-security SHA-512 hashes for high-security applications.
- Domain Age Checker - Check when a domain was first registered and calculate its age in years, months, and total days for SEO research, due diligence, and trust review.
- SQL Injection Test - Test SQL query patterns against common injection payloads, review risk heuristics, and study defensive coding practices such as prepared statements and input validation.
Blog Posts About This Tool
Learn when to use HMAC Generator, common workflows, and related best practices from our blog.
Every blog needs a Terms & Conditions page. Learn what to include and generate one free in minutes with our T&C generator. No lawyer or signup required.
Top free web development tools in 2025: JSON formatters, regex testers, API clients, code minifiers, and more. All browser-based — no install, no signup.
Best free web security tools for developers and site owners: SSL checkers, vulnerability scanners, DNS lookup, and malware detection. Audit your site for free.