HMAC Generator
Free online HMAC generator — create HMAC-SHA256, SHA1, and SHA512 signatures from a secret key and message, output as hex or Base64.
What HMAC Generator Does
Takes a plaintext secret key and a plaintext message as input, runs them through the browser's native Web Crypto API using the selected algorithm (SHA-1, SHA-256, or SHA-512), and outputs a fixed-length keyed hash digest encoded as either a lowercase hex string or a Base64 string.
Who Uses This Tool
HMAC Generator is built for Backend developers, API integrators, webhook signature verifiers, security engineers, QA testers validating HMAC payloads, DevOps engineers debugging signed requests. Whether you are processing data as part of an automated pipeline or need a quick one-off conversion in your browser, the tool requires no installation and no account — paste your input and get your result in seconds.
Primary Use Case
Generating an HMAC-SHA256 signature to verify or debug signed API requests and webhook payloads.
The Problem It Solves
Manually computing HMACs requires writing throwaway scripts in Python, Node.js, or terminal commands — each with different flag syntax, encoding gotchas, and newline handling inconsistencies. A missing newline or wrong encoding silently produces a wrong digest, causing auth failures that are hard to trace. This tool removes that friction by handling normalization, encoding, and algorithm selection in one interface with immediate output.
Example
Secret Key: my-secret-key Message: hello world
90eb182d8396f16d4341d582047f45c0a97d73388c5377d9ced478a2212295ad
When to Use This Tool
Use this tool when generating signed API requests, verifying webhook authenticity, testing backend authentication systems, or debugging HMAC implementations during development.
What to Do With the Output
Paste into an X-Hub-Signature, Authorization, or custom signature header when testing APIs; compare against a server-generated HMAC to validate correctness; store in test fixtures for automated request signing tests; use in Postman pre-request scripts as a reference value.
Common Mistakes to Avoid
1) Trailing newlines in the message change the digest — the tool strips leading/trailing newlines from the key but preserves message content; copy carefully from editors that auto-append newlines. 2) Confusing the key field with the message field in simple mode — in simple input mode the first non-empty line is always treated as the key. 3) Expecting SHA-1 output to match SHA-256 output — each algorithm produces a different-length digest (20, 32, or 64 bytes respectively). 4) Base64 output is standard Base64, not URL-safe Base64 — signatures compared against URL-safe implementations (`-` and `_` variants) will not match. 5) Web Crypto API requires a secure context (HTTPS or localhost) — running the page over plain HTTP will silently fail with no output.
How It Works
The tool encodes the key and message strings to UTF-8 byte arrays using TextEncoder. It imports the key bytes into the Web Crypto API via crypto.subtle.importKey with the HMAC algorithm and the selected hash (SHA-1, SHA-256, or SHA-512). crypto.subtle.sign then computes the HMAC over the message bytes, returning an ArrayBuffer. That buffer is converted to either a hex string (byte-by-byte base-16 encoding with zero-padding) or Base64 (chunked String.fromCharCode + btoa). All cryptographic operations run natively in the browser — no data leaves the client.
Pro Tip
Use the structured input format (Secret Key: ... \n Message: ...) when scripting page interactions or writing test documentation — it makes the key/message boundary unambiguous and survives copy-paste into multi-line editors without risking the first-line parsing heuristic misidentifying an empty key. You can also switch algorithm and encoding without re-clicking Generate — the tool auto-regenerates whenever either setting changes while input is present, letting you instantly diff hex vs. Base64 or SHA-256 vs. SHA-512 output for the same inputs.
Also Known As
HMAC Generator is also commonly referred to as HMAC generator, HMAC-SHA256 generator, HMAC SHA256 online tool, keyed hash generator, HMAC calculator, generate HMAC online, HMAC signature tool, HMAC-SHA1, HMAC-SHA512, message authentication code generator, hmacsha256 online, compute HMAC, HMAC hash generator. All of these terms describe the same conversion — no matter what you call it, this tool handles it.