HMAC (Hash-based Message Authentication Code) is a cryptographic algorithm that combines a secret key with a hash function (like SHA-256) to produce a message authentication code. It is used to verify both the integrity and authenticity of a message — ensuring it has not been tampered with and was created by someone holding the shared secret key.

How do I verify an HMAC signature?

Switch to Verify mode using the chip at the top. Enter the original message, the secret key, and paste the HMAC you want to verify. The tool recomputes the HMAC and performs a constant-time comparison. A green status bar means the signature is valid; red means it does not match — indicating tampering or a wrong key.

HMAC Generator

Generate or verify HMAC signatures using SHA-256, SHA-384, SHA-512, or SHA-1. 100% client-side — your secret key never leaves your browser.

Message

Secret Key

HMAC Output

Both Formats

Enter a message and secret key to generate an HMAC signature.

How to Use the HMAC Generator

Select an algorithm — choose SHA-256 (recommended), SHA-384, SHA-512, or SHA-1 from the chips above.
Enter your message — paste the request body, webhook payload, or any string you want to sign.
Enter your secret key — type or paste your shared secret. Use the "Show Key" toggle to reveal it.
Copy the HMAC — the hex or base64 output appears instantly. Use the Copy button to copy it to your clipboard.
Verify a signature — switch to Verify mode, enter the message, key, and the HMAC to check. A green status means it matches.

What Is HMAC and Why Is It Used?

HMAC stands for Hash-based Message Authentication Code. It is defined in RFC 2104 and is one of the most widely used cryptographic primitives in web security. Unlike a plain hash (such as SHA-256, which anyone can compute), an HMAC requires knowledge of a shared secret key. This makes it impossible for an attacker to forge a valid signature without knowing the key — even if they know the exact message and algorithm used.

HMAC is used in hundreds of real-world systems. AWS Signature Version 4 uses HMAC-SHA256 to sign every API request. GitHub uses HMAC-SHA256 to sign webhook payloads so your server can verify they actually came from GitHub. Stripe signs all webhook events with HMAC-SHA256. JWT (JSON Web Tokens) can use HMAC-SHA256 (HS256) for symmetric signing. OAuth 1.0a used HMAC-SHA1 for request signing. If you work with any of these services, this tool will help you debug signature mismatches or test your signing logic.

HMAC Algorithm Comparison

HMAC-SHA256 — 256-bit (64 hex chars / 44 base64 chars). Industry standard. Use this unless you have a specific reason not to. Used by AWS, GitHub, Stripe, most modern APIs.
HMAC-SHA384 — 384-bit (96 hex chars). Stronger than SHA-256, used in some financial and government systems.
HMAC-SHA512 — 512-bit (128 hex chars / 88 base64 chars). Provides the largest digest. Useful when output length matters for security margins.
HMAC-SHA1 — 160-bit (40 hex chars). Legacy algorithm still used in OAuth 1.0a and some older systems. Avoid for new implementations — SHA-1 is considered weak for collision resistance, though HMAC-SHA1 is still computationally secure for authentication purposes.

Hex vs. Base64 Output

HMAC produces a raw binary digest. This digest can be encoded in different ways for transmission:

Hex encoding — represents each byte as two hexadecimal characters (0–9, a–f). SHA-256 produces 64 hex characters. Hex is human-readable and is used by GitHub, AWS, and most developer-facing APIs.
Base64 encoding — uses 64 characters (A–Z, a–z, 0–9, +, /) to represent binary data more compactly. SHA-256 produces 44 base64 characters. Base64 is used in HTTP headers and many authentication libraries.

Security Considerations

When implementing HMAC verification in your own code, always use a constant-time comparison function instead of a regular string equality check. This prevents timing attacks, where an attacker can infer how many characters of the signature matched by measuring how long the comparison took. In Python, use hmac.compare_digest(). In Node.js, use crypto.timingSafeEqual(). In Go, use hmac.Equal(). Never use == or === to compare HMAC signatures.

Also keep your secret keys long (at least 32 bytes / 256 bits for HMAC-SHA256) and random. Rotate keys periodically and revoke them immediately if they may have been compromised. For related tools, check out the Hash Generator for plain SHA hashing, JWT Decoder for token inspection, and Checksum Verifier for file integrity verification.

Frequently Asked Questions

HMAC (Hash-based Message Authentication Code) is a cryptographic algorithm that combines a secret key with a hash function (like SHA-256) to produce a message authentication code. It verifies both the integrity and authenticity of a message — ensuring it has not been tampered with and was created by someone holding the shared secret key.

A plain SHA-256 hash is a one-way fingerprint of data — anyone can compute it. HMAC-SHA256 mixes in a secret key, making the resulting signature impossible to reproduce without that key. This makes HMAC suitable for authentication and API request signing, whereas a plain hash only verifies integrity.

Yes. This tool runs 100% in your browser using the Web Crypto API. Your secret key, message, and generated HMAC are never sent to any server. No data ever leaves your device. You can safely use real API keys and secrets here.

For new applications, use HMAC-SHA256 — it is the current industry standard used by AWS, GitHub webhooks, Stripe, and most modern APIs. HMAC-SHA512 provides a longer digest for higher-security scenarios. HMAC-SHA1 is still used by legacy systems but should be avoided for new work.

Switch to Verify mode using the chip at the top. Enter the original message, the secret key, and paste the HMAC you want to verify. The tool recomputes the HMAC and compares it. A green status bar means the signature is valid; red means it does not match — indicating tampering or a wrong key.