D

HMAC Generator

Generate HMAC-SHA256, HMAC-SHA512 and other HMAC digests using browser Web Crypto.

Runs 100% in your browser — nothing is uploaded

About this tool

HMAC (Hash-based Message Authentication Code) combines a cryptographic hash function with a secret key to produce a message authentication code. Unlike a plain hash, an HMAC proves both data integrity and authenticity: only someone who knows the secret key can produce the same HMAC for a given message.

This tool computes HMAC digests using the browser's native Web Crypto SubtleCrypto API, which is the same implementation used by HTTPS connections. Supported algorithms: HMAC-SHA-1, HMAC-SHA-256, HMAC-SHA-384, and HMAC-SHA-512. HMAC-SHA-256 is the most widely used — it is the algorithm behind AWS Signature V4, GitHub webhook verification, Stripe webhook signatures, and JWT HS256.

Nothing leaves your browser. You can verify by opening DevTools → Network while computing.

Frequently asked questions

What is the difference between a hash and an HMAC?
A hash takes data and produces a fixed-length fingerprint. An HMAC takes data AND a secret key. Without the key, an attacker cannot forge a valid HMAC even if they can produce valid hashes.
What is HMAC used for?
API request signing (AWS, GitHub, Stripe webhooks), JWT HS256/HS512 signatures, session cookie signing, and any scenario where you need to verify that a message was produced by someone who knows a shared secret.
Is HMAC-SHA1 secure?
HMAC-SHA1 remains secure for authentication purposes despite SHA-1's collision weaknesses, because HMAC does not require collision resistance. However, prefer HMAC-SHA256 for new applications.

Related tools

SHA Hash Generator

Generate SHA-1, SHA-256, SHA-384, and SHA-512 hashes using browser-native Web Crypto.

JWT Decoder / Debugger

Decode JWT headers and payloads, inspect claims, and optionally verify HS256 signatures — all in your browser.

Password Generator

Generate strong random passwords with configurable length, charset, and an entropy meter.