How to Use the HMAC Generator

Enter your message in the message field.

Enter your secret key.

Select your hash algorithm — MD5, SHA-1, SHA-256, SHA-512, or others.

The HMAC is computed instantly and displayed as a hexadecimal string. Copy it for use in your authentication or verification workflow.

What Is HMAC?

HMAC (Hash-based Message Authentication Code) is a mechanism for verifying both the integrity and authenticity of a message using a cryptographic hash function and a shared secret key. Defined in RFC 2104, HMAC combines the message and the key through a specific construction — HMAC(K, m) = H((K ⊕ opad) || H((K ⊕ ipad) || m)) — that makes it resistant to length-extension attacks that affect raw hash functions. HMAC does not encrypt the message — it produces a fixed-length authentication tag that can be verified by any party holding the same secret key. It is used in API request signing, JWT signature construction, webhook verification, and TLS handshake authentication.

When to Use This Tool

API request signing — Many APIs require requests to be signed with an HMAC of the request body or canonical string using a secret key. Use this tool to generate or verify signatures manually.

Webhook verification — Services like GitHub, Stripe, and Twilio sign webhook payloads with HMAC-SHA256. Use this tool to compute the expected signature and compare it against the received header.

Debugging authentication pipelines — Reproduce HMAC values manually to isolate whether a signature mismatch is caused by a key, encoding, or algorithm issue.

JWT signature inspection — HS256, HS384, and HS512 JWT signatures are HMAC constructions. Manually compute the HMAC to verify or debug JWT signing behavior.

Related Tools

• HMAC-SHA256 generator
• HMAC-SHA512 generator
• SHA-256 hash generator
• JWT decoder
• Bcrypt generator