Command Palette

Search for a command to run...

HMAC

HMAC Generator

Generate and verify HMAC-SHA-256/512 signatures locally.

Input
Uses Web Crypto API for local HMAC computation.

All calculations run locally in the browser.

Output
Inspect generated signature and verification state.

Generate a signature to see output.

Security note: secrets are not stored, but avoid exposing them in screenshots or clipboard history.

What

HMAC Generator definition

HMAC combines a secret key and a hash function to provide message integrity and authentication.

Cases

Use Cases

1

Reproduce webhook signatures

2

Debug API request signing

3

Compare expected signatures

How To

How to generate HMAC signatures

Provide message/key settings and compute a signature.

1

Enter message and secret

Input the message payload and the signing secret.

2

Choose options

Select algorithm and secret/output encoding.

3

Generate and verify

Generate the signature and optionally compare with an expected value.

Knowledge

Understanding HMAC

Purpose
HMAC proves both message integrity and shared-secret possession.
Construction
It applies a keyed hash construction over the message using SHA-256/512.
Verification
Constant-time comparison helps reduce timing side-channel leaks.
Encoding pitfalls
Different textual encodings can represent the same bytes differently.
Operational hardening
Combine key rotation, short validity windows, and replay protections for safer deployments.

FAQ

HMAC Generator FAQ

How is HMAC different from a plain hash?
HMAC uses a secret key, so attackers cannot recompute valid signatures without the key.
Which algorithm should I choose?
SHA-256 is usually sufficient; use SHA-512 when policy requires longer digests.
When should I switch output encoding?
Use the format required by your integration: hex, base64, or base64url.
How does verification work?
It compares generated and expected bytes with length checks and constant-time comparison.
Can I provide secret in base64?
Yes. Select Base64 secret encoding and it will decode before signing.
Is my input uploaded?
No. Everything runs in-browser.
Why do I get an invalid expected signature error?
The expected value must match the selected output encoding format.
Can I validate test vectors?
Yes. This tool is suitable for checking RFC-style known vectors.
HMAC Generator