HMAC Generator

Free online HMAC generator — create HMAC-SHA256, SHA1, and SHA512 signatures from a secret key and message, output as hex or Base64.

What HMAC Generator Does

Takes a plaintext secret key and a plaintext message as input, runs them through the browser's native Web Crypto API using the selected algorithm (SHA-1, SHA-256, or SHA-512), and outputs a fixed-length keyed hash digest encoded as either a lowercase hex string or a Base64 string.

Who Uses This Tool

HMAC Generator is built for Backend developers, API integrators, webhook signature verifiers, security engineers, QA testers validating HMAC payloads, DevOps engineers debugging signed requests. Whether you are processing data as part of an automated pipeline or need a quick one-off conversion in your browser, the tool requires no installation and no account — paste your input and get your result in seconds.

Primary Use Case

Generating an HMAC-SHA256 signature to verify or debug signed API requests and webhook payloads.

The Problem It Solves

Manually computing HMACs requires writing throwaway scripts in Python, Node.js, or terminal commands — each with different flag syntax, encoding gotchas, and newline handling inconsistencies. A missing newline or wrong encoding silently produces a wrong digest, causing auth failures that are hard to trace. This tool removes that friction by handling normalization, encoding, and algorithm selection in one interface with immediate output.

Example

Input
Secret Key:
my-secret-key

Message:
hello world
Output
90eb182d8396f16d4341d582047f45c0a97d73388c5377d9ced478a2212295ad

When to Use This Tool

Use this tool when generating signed API requests, verifying webhook authenticity, testing backend authentication systems, or debugging HMAC implementations during development.

What to Do With the Output

Paste into an X-Hub-Signature, Authorization, or custom signature header when testing APIs; compare against a server-generated HMAC to validate correctness; store in test fixtures for automated request signing tests; use in Postman pre-request scripts as a reference value.

Common Mistakes to Avoid

1) Trailing newlines in the message change the digest — the tool strips leading/trailing newlines from the key but preserves message content; copy carefully from editors that auto-append newlines. 2) Confusing the key field with the message field in simple mode — in simple input mode the first non-empty line is always treated as the key. 3) Expecting SHA-1 output to match SHA-256 output — each algorithm produces a different-length digest (20, 32, or 64 bytes respectively). 4) Base64 output is standard Base64, not URL-safe Base64 — signatures compared against URL-safe implementations (`-` and `_` variants) will not match. 5) Web Crypto API requires a secure context (HTTPS or localhost) — running the page over plain HTTP will silently fail with no output.

How It Works

The tool encodes the key and message strings to UTF-8 byte arrays using TextEncoder. It imports the key bytes into the Web Crypto API via crypto.subtle.importKey with the HMAC algorithm and the selected hash (SHA-1, SHA-256, or SHA-512). crypto.subtle.sign then computes the HMAC over the message bytes, returning an ArrayBuffer. That buffer is converted to either a hex string (byte-by-byte base-16 encoding with zero-padding) or Base64 (chunked String.fromCharCode + btoa). All cryptographic operations run natively in the browser — no data leaves the client.

Pro Tip

Use the structured input format (Secret Key: ... \n Message: ...) when scripting page interactions or writing test documentation — it makes the key/message boundary unambiguous and survives copy-paste into multi-line editors without risking the first-line parsing heuristic misidentifying an empty key. You can also switch algorithm and encoding without re-clicking Generate — the tool auto-regenerates whenever either setting changes while input is present, letting you instantly diff hex vs. Base64 or SHA-256 vs. SHA-512 output for the same inputs.

Also Known As

HMAC Generator is also commonly referred to as HMAC generator, HMAC-SHA256 generator, HMAC SHA256 online tool, keyed hash generator, HMAC calculator, generate HMAC online, HMAC signature tool, HMAC-SHA1, HMAC-SHA512, message authentication code generator, hmacsha256 online, compute HMAC, HMAC hash generator. All of these terms describe the same conversion — no matter what you call it, this tool handles it.

Frequently Asked Questions

All three use the same HMAC construction but differ in the underlying hash function. SHA-256 produces a 32-byte (256-bit) digest, SHA-1 produces 20 bytes (160-bit), and SHA-512 produces 64 bytes (512-bit). SHA-1 is considered cryptographically weak for collision resistance but still used in legacy systems; SHA-256 is the current standard for most API signing schemes; SHA-512 offers a larger security margin.
Yes — all computation runs locally in your browser using the Web Crypto API. No input data is transmitted to any server. You can verify this by checking network requests in browser DevTools while using the tool.
The most common causes are: (1) a trailing newline in the message, (2) the message being serialized differently (e.g., different JSON key ordering), (3) the key being hex-decoded on the server before use — meaning the server treats the key as raw bytes, not a UTF-8 string. Confirm whether your server imports the key as a raw UTF-8 string or as decoded bytes.
Two formats are supported. Simple mode: first non-empty line is the secret key, everything after the next line is the message. Structured mode: label the sections explicitly with Secret Key: and Message: on separate lines — useful when the key or message itself contains newlines.
Yes. Paste the webhook secret as the key and the raw request body as the message, select the algorithm specified by the webhook provider (usually SHA-256), and compare the hex output against the signature sent in the webhook header (after stripping any prefix like sha256=).
Once the page is loaded, all computation is performed client-side. However, the Web Crypto API requires a secure context — it will not function on plain HTTP. If your environment blocks HTTPS, the tool will fail to generate output.