HMAC Generator

Compute an HMAC of any message with a secret key — in your browser, using Web Crypto. Pick HMAC-SHA-1, HMAC-SHA-256, HMAC-SHA-384, or HMAC-SHA-512, switch the key between text and hex, choose hex or base64 output, and optionally paste an expected digest to verify. Five common API presets are wired in. The key never leaves this tab.

0 bytes · 0 bits

0 bytes
Algorithm & output
Output
HMAC

Common API presets click to load
About HMAC
  • HMAC is a keyed hash: H((K ⊕ opad) || H((K ⊕ ipad) || message)). Unlike a plain hash, an attacker without the key can't reproduce the digest.
  • Web Crypto exposes it as crypto.subtle.sign("HMAC", key, data) — the key is imported with name: "HMAC" + the hash name. The result is binary; the page encodes it to hex or base64 for display.
  • Key bytes vs. key characters: the secret is the raw bytes, not the characters. A 32-character ASCII key is 32 bytes; a 64-character hex string is 32 bytes. Use the Hex mode to paste a hex-encoded key (e.g. a Stripe whsec_… decoded value).
  • Recommended: HMAC-SHA-256 is the default for modern APIs (GitHub webhooks, Stripe, Slack, JWT HS256). HMAC-SHA-1 still appears in OAuth 1.0a / Twitter and a handful of older webhook systems.
  • Verify mode uses a constant-time string compare so a wrong guess doesn't leak information through timing. The compare runs every time you type in the expected field; the message, key, algorithm, and output format must match what the sender used.
  • Prefix handling: GitHub sends sha256=<hex>, Stripe sends v1=<hex>. The verify box understands the name=<value> shape and only compares the value part.
  • Everything runs in this tab. The key, the message, and the digest never leave your browser.