HMAC Generator

Sign a message with a secret key — SHA-1/256/384/512, hex or base64.

Sign a message with a secret key — SHA-1/256/384/512, hex or base64. Free and 100% private — runs entirely in your browser, nothing is ever uploaded.

About HMAC Generator

The HMAC Generator computes a hash-based message authentication code (HMAC) from a message and a secret key, using your browser's built-in Web Crypto API. Use it to sign webhook payloads, verify API request signatures, or test HMAC implementations against known vectors. It supports SHA-1, SHA-256, SHA-384, and SHA-512, accepts the key as UTF-8, Base64, or Hex, and outputs the result in both hex and Base64. Everything runs locally in your browser, so your message and secret key are never uploaded to any server.

How to use HMAC Generator

  1. Paste or type the message you want to authenticate into the Message field. It is signed as its UTF-8 bytes, and an empty message still produces a valid HMAC.
  2. Enter your shared secret key, then pick the key encoding (UTF-8, Base64, or Hex) that matches how the key is stored. The tool shows the decoded key length in bytes so you can confirm it parsed correctly.
  3. Choose the hash algorithm: SHA-1, SHA-256, SHA-384, or SHA-512. SHA-256 is the default and the most common for webhooks and APIs.
  4. Read the HMAC instantly from the result panel, which shows the algorithm and output size in bits.
  5. Copy the digest in hex or Base64 with the Copy button, matching whichever format the receiving system expects.

Frequently asked questions

What hash algorithms does the HMAC Generator support?
It supports HMAC with SHA-1, SHA-256, SHA-384, and SHA-512, all computed through the browser's native Web Crypto API. SHA-256 is selected by default because it is the standard choice for most webhook and API signatures.
How should I enter my secret key?
Switch the key encoding to match how your key is stored. Choose UTF-8 for a plain text passphrase, Base64 or Hex for raw byte keys (for example a key copied from a config file or generated as random bytes). The tool decodes the key to bytes and shows the byte length so you can verify it was parsed as expected.
Should the output be hex or Base64?
Use whatever your receiving system expects. The tool always shows both: hex is common for signature headers like X-Hub-Signature-256, while Base64 is common in cloud APIs. The hex and Base64 strings represent the exact same bytes.
Is my message or secret key uploaded anywhere?
No. The HMAC is computed entirely in your browser with the Web Crypto API, and nothing is sent to a server. This makes the tool safe to use with production webhook secrets and signing keys, even offline once the page has loaded.
Why does my HMAC not match the one from my server?
The most common causes are a key-encoding mismatch (your key is raw bytes but entered as UTF-8, or vice versa), a different algorithm, hidden trailing whitespace or newlines in the message, or comparing hex against Base64 output. Match the encoding, algorithm, and exact message bytes, then compare the same output format.