Skip to content
TextArray
100% local

HMAC generator

Compute HMAC-SHA256, SHA-1, SHA-384 or SHA-512 signatures with a secret key.

Input
Output

HMAC generator

An HMAC is a keyed hash: the message and a secret key go in together, and only someone holding the same key can reproduce or verify the result. That is what API providers use to sign requests and what webhook senders like payment platforms and code hosting services attach to every delivery, so the receiver can prove the payload really came from them and was not altered in transit.

Enter the secret key, pick the algorithm the other side uses — SHA-256 is the overwhelming default — and paste the message. The digest appears as lowercase hex or as Base64, matching the two formats signatures are exchanged in. Turn on the HMAC per line to sign each input line separately, which suits a column of tokens or IDs. Developers reach for this while debugging a webhook handler that rejects signatures, reproducing a documentation example, or generating a test vector for a unit test.

Both the key and the message are taken as UTF-8 bytes, exactly as most server SDKs do. When your result does not match the other side, the cause is almost always bytes, not math: a trailing newline in the payload, CRLF line endings, hex output compared against Base64, or a key that the service supplies Base64- or hex-encoded and expects decoded before use.

The key field is masked and is deliberately never written to your browser's storage. Everything runs locally through the browser's built-in WebCrypto — pasting a signing secret into an online HMAC tool normally hands it to that server, and here it never leaves your device.

FAQ

What is an HMAC used for?
Proving that a message comes from someone who holds the shared secret and was not modified along the way. Typical uses: signing API requests, verifying webhook deliveries from payment and hosting platforms, and signing tokens. The receiver recomputes the HMAC with the same key and compares.
How is HMAC different from a plain hash?
A plain SHA-256 of a message can be computed by anyone, so it proves nothing about the sender. An HMAC mixes a secret key into the computation in a way that resists tampering — without the key you can neither forge a valid signature nor verify one. That is also why HMAC-SHA1 remains acceptable in practice even though plain SHA-1 is broken for collisions, though new designs should still pick SHA-256.
Why does my HMAC not match the one the server sends?
Almost always the bytes differ. Check for a trailing newline in the payload, CRLF versus LF line endings, hex compared against Base64, and the key format — many services hand you the secret Base64- or hex-encoded and expect the decoded bytes as the key. This tool uses the key exactly as typed, as UTF-8.
Can someone recover my key from an HMAC?
No practical attack recovers the key from digests. But anyone holding the key can sign arbitrary messages, so treat signing secrets like passwords: rotate a webhook secret if it may have leaked, and never commit it to a repository.
Are my key and text uploaded anywhere?
No. The HMAC is computed by your browser's built-in WebCrypto, the key field is never written to storage, and neither the key nor the text ever leaves your device.