Generate HMAC (Hash-based Message Authentication Code) signatures using SHA-1, SHA-256, SHA-384, or SHA-512 algorithms.
Enter message and secret key to generate HMAC
What is HMAC?
HMAC combines a cryptographic hash function with a secret key to provide message authentication. It's used for verifying data integrity and authenticity in APIs, webhooks, and secure communications.
Why Use HMAC?
HMAC is essential for secure API authentication, webhook verification, and data integrity checks. Unlike simple hashes, HMAC uses a secret key that only the sender and receiver know, preventing tampering and ensuring the message came from a trusted source.
Frequently Asked Questions
What's the difference between HMAC and a regular hash?
A regular hash (like SHA-256) only verifies data integrity. HMAC combines the hash with a secret key, providing both integrity AND authentication - proving the message came from someone who knows the secret.
Which HMAC algorithm should I use?
HMAC-SHA256 is the most common choice, offering a good balance of security and performance. SHA-512 provides more security for highly sensitive data. Avoid SHA-1 for new implementations.
How is HMAC used in APIs?
APIs often use HMAC to sign requests. The client creates an HMAC of the request data using a shared secret, and the server verifies it. This ensures the request wasn't tampered with and came from an authorized source.
Is my secret key sent to your servers?
No. All HMAC calculations happen locally in your browser using the Web Crypto API. Your secret key and data never leave your device.
Can HMAC be reversed to get the original message?
No. HMAC is a one-way function like hashing. You cannot reverse it to get the original message or secret key. It's only used for verification, not encryption.