EncryptCodecencryptcodec
Tools/HMAC

HMAC Generator

Generate HMAC-SHA256, HMAC-SHA384, and HMAC-SHA512 message authentication codes. Verify request integrity, sign webhooks, or validate API payloads.

All processing happens in your browser — nothing is sent to our servers
Enter a message and secret key to generate the HMAC

What is HMAC used for?

HMAC (Hash-based Message Authentication Code) proves that a message came from someone who knows the secret key and hasn't been tampered with. Common uses: webhook signature verification (GitHub, Stripe, Shopify all use HMAC-SHA256), API request signing, and JWT HS256/HS512 signatures under the hood. Unlike a plain hash, HMAC requires the secret — an attacker can't forge it without knowing the key.

How it works
HMAC (Hash-based Message Authentication Code)
01Key + Message

A secret key (any length) and the message to authenticate

02Key padding

Key padded/hashed to block size (64 bytes for SHA-256, 128 bytes for SHA-512)

03Inner hash

H((K XOR ipad) || message) — first hash pass with inner padding (0x36 repeated)

04Outer hash

H((K XOR opad) || inner_hash) — second hash pass with outer padding (0x5C repeated)

05MAC output

The final HMAC — hex or Base64 encoded — proves message integrity and key possession

Spec: RFC 2104 (HMAC), FIPS 198-1, combined with FIPS 180-4 (SHA-2)

HMAC proves both data integrity and that the sender holds the key — unlike a plain hash which anyone can compute. Use timing-safe comparison when verifying.

Frequently Asked Questions

Keep learning

JWT Forgery Simulation
HMAC in JWT signing attacks
Simulation
HMAC vs Digital Signatures
When to use HMAC vs signatures
Guide
Webhook HMAC Guide
Securing webhooks with HMAC
Guide