How Do You Generate an HMAC Online?
Updated 2026-06-27
To generate an HMAC online, paste your message and secret key into the HMAC Generator, choose a hash algorithm like SHA-256, and read the result in hex or Base64 — all computed in your browser using the Web Crypto API, with nothing uploaded.
An HMAC (hash-based message authentication code) proves two things at once: that a message has not been tampered with, and that it came from someone who holds the shared secret key. It is the mechanism behind webhook signatures (Stripe, GitHub, Shopify), signed API requests, and many token formats.
How to compute an HMAC step by step
- Enter the message. It is signed as its raw UTF-8 bytes. Watch for invisible trailing newlines — a stray newline changes the bytes and therefore the HMAC.
- Enter the secret key and set its encoding. Pick UTF-8 for a text passphrase, or Base64 / Hex when your key is a raw byte string from a config file or key generator. The byte counter confirms it decoded correctly.
- Pick the algorithm. SHA-256 is the default and the most common; SHA-1, SHA-384, and SHA-512 are also available.
- Copy the output. The digest appears in both hex and Base64 — copy whichever your receiving system expects.
Why key encoding matters most
The single biggest reason two HMACs disagree is the key encoding. The string 5365637265744b6579 is nine bytes when read as hex but eighteen bytes when read as UTF-8 text, and those two interpretations produce completely different HMACs. If your server stores the key as raw random bytes (often shown as Base64 or hex), select the matching encoding here rather than leaving it on UTF-8. The live byte count next to the key field is your sanity check: if the number does not match the key length your backend expects, the encoding is wrong.
Hex vs Base64 output
Both outputs encode the exact same bytes — they are just two ways of writing them down. Webhook headers such as X-Hub-Signature-256 typically use hex, while many cloud APIs expect Base64. Because the tool shows both at once, you never have to convert manually; just copy the format the other system wants.
Privacy: it runs entirely in your browser
Unlike server-side HMAC tools, the HMAC Generator computes everything locally with the browser's native Web Crypto API. Your message and secret key never leave the page and are never uploaded. That makes it safe to paste a real production webhook secret or signing key, and it keeps working offline once the page has loaded.
A quick verification workflow
- Generate the HMAC of a known test message with a known key.
- Compare it byte-for-byte against your server's output in the same format (hex or Base64).
- If they differ, check four things in order: key encoding, algorithm, exact message bytes (whitespace/newlines), and hex-vs-Base64.
If you only need a plain digest or checksum of a file or string — without a secret key — reach for the Hash & Checksum Generator instead, which covers MD5, SHA-1/256/512, and CRC32 with a built-in verify mode. HMAC is the right choice specifically when authentication with a shared secret is required, not just integrity.