HMAC generator
Compute HMAC-SHA256, SHA-1, SHA-384 or SHA-512 signatures with a secret key.
Related tools
HMAC generator
An HMAC is a keyed hash: the message and a secret key go in together, and only someone holding the same key can reproduce or verify the result. That is what API providers use to sign requests and what webhook senders like payment platforms and code hosting services attach to every delivery, so the receiver can prove the payload really came from them and was not altered in transit.
Enter the secret key, pick the algorithm the other side uses — SHA-256 is the overwhelming default — and paste the message. The digest appears as lowercase hex or as Base64, matching the two formats signatures are exchanged in. Turn on the HMAC per line to sign each input line separately, which suits a column of tokens or IDs. Developers reach for this while debugging a webhook handler that rejects signatures, reproducing a documentation example, or generating a test vector for a unit test.
Both the key and the message are taken as UTF-8 bytes, exactly as most server SDKs do. When your result does not match the other side, the cause is almost always bytes, not math: a trailing newline in the payload, CRLF line endings, hex output compared against Base64, or a key that the service supplies Base64- or hex-encoded and expects decoded before use.
The key field is masked and is deliberately never written to your browser's storage. Everything runs locally through the browser's built-in WebCrypto — pasting a signing secret into an online HMAC tool normally hands it to that server, and here it never leaves your device.