What is the recommended HMAC key length?

Use a key that is at least as long as the hash output. For HMAC-SHA256, that means a minimum of 32 bytes (256 bits). Keys shorter than the hash output reduce security, while keys longer than the block size are first hashed down internally.

How do I verify a Stripe webhook signature using HMAC?

Stripe sends an HMAC-SHA256 signature in the Stripe-Signature header. Compute the HMAC of the raw request body using your webhook signing secret, then compare the result to the signature in the header using a constant-time comparison.

Is HMAC-SHA256 the same as HS256 in JWT?

Yes. HS256 is the JWT specification name for HMAC-SHA256. When a JWT uses the HS256 algorithm, it signs the token header and payload with HMAC-SHA256 using a shared secret key.

Can I use HMAC for password hashing?

HMAC alone is not suitable for password hashing. Passwords should be hashed with a dedicated password hashing function like bcrypt, scrypt, or Argon2 that includes salting and key stretching to resist brute-force attacks.

What is the difference between HMAC-SHA256 and HMAC-SHA512?

HMAC-SHA512 produces a longer 512-bit output compared to SHA-256's 256-bit output, providing a larger security margin. SHA-512 can also be faster than SHA-256 on 64-bit processors. For most applications, both are considered equally secure.

HMAC Generator - Generate HMAC Signatures

Generate HMAC signatures using SHA-256, SHA-512, or SHA-1 online. Verify webhooks and sign API requests. Free, client-side, no data uploaded.

X Facebook LinkedIn Reddit

Message

Secret Key

Algorithm

HMAC Signature

Enter message and secret key to generate HMAC

What is HMAC?

HMAC combines a cryptographic hash function with a secret key to provide message authentication. It's used for verifying data integrity and authenticity in APIs, webhooks, and secure communications.

How to Generate an HMAC Signature

1

Enter Your Message

Type or paste the message you want to authenticate into the message field. This can be any text, JSON payload, URL string, or raw request body you need to sign.
2

Provide Your Secret Key

Enter the shared secret key in the secret key field. This key must be known by both the sender and the receiver. Use a strong, randomly generated key for production use.
3

Select a Hash Algorithm

Choose the HMAC algorithm from the dropdown. HMAC-SHA256 is the most widely used and recommended for most applications. SHA-512 offers stronger security for sensitive data, while SHA-1 is available for legacy compatibility.
4

Copy Your HMAC Signature

The HMAC signature is generated instantly as you type. Click the Copy button to copy the hex-encoded result to your clipboard. Use this value in your API headers, webhook verification logic, or authentication flow.

Common Use Cases for HMAC

API Request Signing

Sign outgoing API requests with HMAC-SHA256 so the receiving server can verify the request was not tampered with and originated from an authorized client. Services like AWS, Stripe, and GitHub use HMAC-based request signing.

Webhook Verification

Verify incoming webhook payloads from providers like Stripe, GitHub, and Shopify. These services include an HMAC signature in the request header, and you compare it against your own computed HMAC to confirm authenticity.

Data Integrity Checks

Attach an HMAC to stored or transmitted data to detect unauthorized modifications. Unlike a plain hash, HMAC requires the secret key to forge, making it resistant to tampering by anyone who does not possess the key.

Token and Session Validation

Generate and verify session tokens or signed cookies using HMAC. Many JWT implementations use HMAC-SHA256 (HS256) as their signing algorithm to ensure tokens have not been altered.

Why Use HMAC?

HMAC is essential for secure API authentication, webhook verification, and data integrity checks. Unlike simple hashes, HMAC uses a secret key that only the sender and receiver know, preventing tampering and ensuring the message came from a trusted source.

HMAC (Hash-based Message Authentication Code) is a specific type of message authentication code that combines a cryptographic hash function with a secret key. It is defined in RFC 2104 and is widely used across the internet for API authentication, webhook verification, and data integrity validation. Unlike a plain SHA-256 hash, which anyone can compute, an HMAC requires knowledge of the secret key, ensuring that only authorized parties can generate or verify the signature.

This free online HMAC generator supports SHA-1, SHA-256, SHA-384, and SHA-512 algorithms. All computation happens entirely in your browser using the Web Crypto API, so your secret key and message data never leave your device. Whether you are debugging a Stripe webhook signature, testing an AWS request signing flow, or building a JWT authentication layer, this tool lets you quickly generate and verify HMAC values without installing libraries or writing throwaway scripts.

HMAC is a cornerstone of modern web security. It underpins the HS256 algorithm used in JSON Web Tokens, the signature scheme for AWS Signature Version 4, and the payload verification system used by payment providers like Stripe and PayPal. If you need to generate cryptographic keys for HMAC signing, try the Random Key Generator. For comparing two HMAC outputs side by side, the Hash Comparison Tool can help you spot mismatches instantly.

How It Compares

HMAC differs from standard hash functions like MD5 or SHA-256 in one critical way: it requires a secret key. A plain SHA-256 hash of a message can be computed by anyone, which means an attacker could modify a message and recompute the hash without detection. HMAC solves this by mixing the secret key into both the inner and outer hash passes, making it computationally infeasible to forge a valid signature without knowing the key.

Compared to digital signatures using RSA or ECDSA, HMAC is symmetric -- both the signer and verifier share the same secret. This makes HMAC faster and simpler for server-to-server communication where both parties can securely exchange a shared key. Digital signatures are preferred when the verifier should not be able to create signatures, such as in public-facing JWT validation scenarios. For most API authentication and webhook verification workflows, HMAC-SHA256 remains the industry standard choice due to its speed, simplicity, and proven security track record.

Tips for Working with HMAC

Always use HMAC-SHA256 or SHA-512 for new projects. SHA-1 is only recommended for legacy system compatibility.

Keep your secret key truly secret. Never embed it in client-side code, URLs, or public repositories.

Use a cryptographically random key of at least 32 bytes. Short or predictable keys weaken HMAC security significantly.

When comparing HMAC signatures, use a constant-time comparison function to prevent timing attacks that could leak information about the expected value.

For webhook verification, always compute the HMAC over the raw request body bytes, not a parsed or re-serialized version, to avoid subtle encoding differences.

Frequently Asked Questions

What's the difference between HMAC and a regular hash?

A regular hash (like SHA-256) only verifies data integrity. HMAC combines the hash with a secret key, providing both integrity AND authentication - proving the message came from someone who knows the secret.

Which HMAC algorithm should I use?

HMAC-SHA256 is the most common choice, offering a good balance of security and performance. SHA-512 provides more security for highly sensitive data. Avoid SHA-1 for new implementations.

How is HMAC used in APIs?

APIs often use HMAC to sign requests. The client creates an HMAC of the request data using a shared secret, and the server verifies it. This ensures the request wasn't tampered with and came from an authorized source.

Is my secret key sent to your servers?

No. All HMAC calculations happen locally in your browser using the Web Crypto API. Your secret key and data never leave your device.

Can HMAC be reversed to get the original message?

No. HMAC is a one-way function like hashing. You cannot reverse it to get the original message or secret key. It's only used for verification, not encryption.

Related Tools

Sha256 Hash Generator

Security

Md5 Hash Generator

Security

Hash Comparison Tool

Security

Random Key Generator

Security

Jwt Generator

Security

Jwt Decoder

Developers

Text Encryption

Security

File Hash Calculator

Security

How to Generate an HMAC Signature

Enter Your Message

Provide Your Secret Key

Select a Hash Algorithm

Copy Your HMAC Signature

Common Use Cases for HMAC

API Request Signing

Webhook Verification

Data Integrity Checks

Token and Session Validation

Why Use HMAC?

How It Compares

Tips for Working with HMAC

Frequently Asked Questions

What's the difference between HMAC and a regular hash?

Which HMAC algorithm should I use?

How is HMAC used in APIs?

Is my secret key sent to your servers?

Can HMAC be reversed to get the original message?

Related Tools

Rate This Tool

Get Weekly Tools

Suggest a Tool