HMAC Generator (Keyed-Hash)
Generate HMAC signatures with a secret key and your chosen hash algorithm. This tool helps ensure message authenticity and integrity in API security and data transfers.
The secret key is used to generate and verify the HMAC. Keep it secure!
About HMAC
HMAC (Hash-based Message Authentication Code) combines a cryptographic hash function with a secret key to provide both data integrity and authenticity verification.
Common uses include: API authentication, JWT tokens, secure session cookies, and verifying message authenticity in secure communications.
How HMAC Generation Works
HMAC (Hash-based Message Authentication Code) combines a cryptographic hash function with a secret key to produce a signature that proves both message integrity and authenticity. Unlike plain hashes, you need the key to generate—or verify—the HMAC.
This tool uses the Web Crypto API to generate HMAC signatures. You provide a message and a secret key, choose an algorithm (SHA-256, SHA-384, or SHA-512), and it computes the HMAC using the standard HMAC construction defined in RFC 2104.
The HMAC process:
- Your secret key is imported into the Web Crypto API
- The message is encoded to UTF-8 bytes
- HMAC applies the hash function twice with the key mixed in specific ways
- The result is a signature that can only be created with the same key
Key insight: Anyone can compute SHA-256("hello"), but only someone with the secret key can compute HMAC-SHA256("hello", key). This is what makes HMAC useful for authentication.
When You'd Actually Use This
API request authentication
AWS, GitHub, and many other APIs use HMAC signatures to authenticate requests. Generate the HMAC of your request data with your API secret key, then include it in the Authorization header.
JWT token signatures
JSON Web Tokens often use HS256 (HMAC-SHA256) for signing. Generate HMAC signatures to create or verify JWTs in your authentication system.
Webhook verification
Services like Stripe and GitHub send webhooks with HMAC signatures. Verify incoming webhooks by computing the HMAC of the payload and comparing it to the signature in the headers.
Secure session cookies
Sign session cookies with HMAC to prevent tampering. The server signs cookie data with a secret key; on subsequent requests, it verifies the signature before trusting the cookie contents.
Message integrity in distributed systems
Microservices communicating over message queues can use HMAC to ensure messages haven't been modified in transit. Each service shares a secret key for signing.
Testing cryptographic implementations
Building your own HMAC verification code? Generate known test vectors with this tool and compare against your implementation's output to verify correctness.
What to Know Before Using HMAC
The key must stay secret. Anyone with the key can forge valid HMACs. Store keys securely, rotate them periodically, and never commit them to version control.
Key length matters. Use keys at least as long as the hash output (256 bits for HMAC-SHA256). Shorter keys reduce security. Generate keys with a cryptographically secure random generator.
Algorithm choice affects output size.HMAC-SHA256 produces 64 hex characters, HMAC-SHA384 produces 96, and HMAC-SHA512 produces 128. Match the algorithm to your security requirements and storage constraints.
Timing attacks are real. When verifying HMACs, use constant-time comparison to prevent attackers from learning the correct signature through response timing. Most crypto libraries handle this automatically.
HMAC is not encryption. The message itself isn't hidden—HMAC just proves it came from someone with the key and hasn't been modified. Use encryption separately if you need confidentiality.
Common Questions
What's the difference between HMAC and plain hash?
A plain hash (like SHA-256) only proves data integrity—anyone can compute it. HMAC requires a secret key, so it proves both integrity and authenticity. Only someone with the key could have generated the HMAC.
Which HMAC algorithm should I use?
HMAC-SHA256 is the standard choice—secure and widely supported. Use HMAC-SHA384 or HMAC-SHA512 if you need a larger security margin or are working in a high-security environment. Avoid HMAC-MD5 and HMAC-SHA1—they're deprecated.
How do I verify an HMAC?
Compute the HMAC of the received message using your secret key, then compare it to the provided signature. If they match exactly, the message is authentic and unmodified. Always use constant-time comparison to prevent timing attacks.
Can HMAC be reversed to reveal the key?
No. HMAC is one-way like the underlying hash function. Even with many message-signature pairs, recovering the key is computationally infeasible with proper algorithms like SHA-256.
What happens if the key is compromised?
An attacker can forge valid HMACs for any message. Immediately rotate the key, invalidate all existing signatures, and investigate how the compromise occurred. This is why key management is critical.
Is this tool safe for generating production HMACs?
The tool itself is secure—it uses the browser's Web Crypto API. However, don't paste production secrets into web tools. Use it for testing and learning, but generate production HMACs in your secure backend environment.
Why does HMAC use the key twice?
HMAC applies the key in two different ways (inner and outer padding) to prevent length extension attacks that affect plain hash functions. This construction, defined in RFC 2104, has been proven secure when the underlying hash is secure.
Other Free Tools
MD5 Hash Generator & Checker
MD5 Hash Generator & Checker
SHA-256 Hash Generator
SHA-256 Hash Generator
SHA-1 Hash Generator & Decrypter
SHA-1 Hash Generator & Decrypter
SHA-512 Hash Calculator
SHA-512 Hash Calculator
SHA-3 Hash Generator (Keccak)
SHA-3 Hash Generator (Keccak)
ASCII to Hex Converter
ASCII to Hex Converter: Text to Hexadecimal Translator
Barcode Generator
Free Barcode Generator
Binary to Text Converter
Binary to Text Converter
Free Printable Calendar Maker
Create & Print Your Custom Calendar
Pie Chart Maker
Free Pie Chart Maker Online