HMAC Explained: Signing & Verifying Messages

Q: What is an HMAC used for?

HMACs verify that a message is authentic and unchanged. They are widely used to sign API requests, validate incoming webhooks (Stripe, GitHub and others sign payloads with a shared secret), and sign HS256 JSON Web Tokens.

Q: Which hash should I use with HMAC?

Use SHA-256 unless a system you integrate with requires otherwise. HMAC-SHA256 is the modern default. HMAC-SHA1 is still secure in practice but is being phased out; SHA-384 and SHA-512 offer longer outputs.

Q: Does the secret key length matter?

Yes. Use a long, random secret — ideally at least as many bytes as the hash output (32 bytes for SHA-256). Short or guessable keys undermine the whole scheme, since anyone who learns the key can forge valid codes.

What this tool does

The HMAC Generator takes a message and a secret key and produces an HMAC using SHA-1, SHA-256, SHA-384 or SHA-512, shown as hex and Base64. It uses the browser's built-in Web Crypto API, so your message and key never leave your device.

What is an HMAC?

HMAC stands for hash-based message authentication code. It combines a message with a secret key through a hash function to produce a short code. Two parties who share the key can both compute it: the sender attaches the code, and the receiver recomputes it and checks that the two match. If they do, the message is authentic (it came from someone with the key) and intact (it wasn't altered in transit).

HMAC vs a plain hash

A plain hash such as SHA-256 takes only the message, so anyone can compute it. That proves the data wasn't corrupted, but not who produced it — an attacker who changes the message can simply recompute the hash. An HMAC folds in a secret key, so only holders of the key can produce or verify a valid code. Hash = integrity; HMAC = integrity and authenticity.

Where HMACs are used

API request signing — AWS Signature v4 and many APIs sign requests with HMAC so the server can trust them.
Webhook verification — Stripe, GitHub, Shopify and others sign webhook payloads with a shared secret; you recompute the HMAC to confirm the call is genuine.
JSON Web Tokens — the common HS256 algorithm is HMAC-SHA256 over the token's header and payload.
Cookie and URL integrity — signing values so they can't be tampered with client-side.

Choosing the hash and key

Use SHA-256 unless a system you integrate with dictates otherwise. HMAC-SHA1 is still safe in practice but is being retired. The key should be long and random — at least 32 bytes for SHA-256 — and kept secret; anyone who learns it can forge valid codes. Generate one with the Password Generator or the UUID Generator.

How to use it

Paste your message into the message box.
Enter the shared secret key.
Pick the hash algorithm (SHA-256 is the default).
Copy the hex or Base64 output — whichever the system you're integrating with expects.

Your data stays private

Everything is computed locally with Web Crypto — your message and key are never uploaded.

FAQ

What is an HMAC used for?

Verifying that a message is authentic and unchanged — signing API requests, validating webhooks, and signing HS256 JWTs.

Which hash should I use with HMAC?

SHA-256 unless a system requires otherwise. HMAC-SHA256 is the modern default.

Does the secret key length matter?

Yes — use a long, random key, ideally at least as many bytes as the hash output. Weak keys break the scheme.

Ready to try it? Open the HMAC Generator →

HMAC, explained