HMAC Generator

Generate an HMAC (hash-based message authentication code) from a message and secret key using SHA-256, SHA-1, SHA-384, or SHA-512. Output the HMAC as lowercase hex and Base64, fully client-side in your browser.

100% private. The HMAC is computed in your browser with the native Web Crypto API. Your message and secret key never leave your device.


  

  

The HMAC Generator creates a keyed hash-based message authentication code from any message and secret key, right in your browser. Choose SHA-256, SHA-1, SHA-384, or SHA-512, paste your message and key, and get back the HMAC as both lowercase hexadecimal and Base64. Everything runs client-side with the native Web Crypto API, so your message and secret key are never uploaded.

What is an HMAC?

An HMAC, or hash-based message authentication code, combines a cryptographic hash function with a secret key to produce a fixed-size code that proves both the integrity and the authenticity of a message. Unlike a plain hash such as SHA-256, which anyone can recompute from the message alone, an HMAC cannot be reproduced without the secret key. That makes it ideal for verifying that a message has not been tampered with and that it came from someone who holds the shared key. HMAC is defined in RFC 2104 and is widely used to sign API requests, webhooks, JWTs, and session tokens.

How to generate an HMAC

Enter the message and secret key, pick a hash algorithm, and generate the code. You get the HMAC in both hexadecimal and Base64.

  1. Type or paste the message you want to authenticate.
  2. Enter the shared secret key that both sides will use.
  3. Choose the hash algorithm (SHA-256 is the common default).
  4. Click Generate HMAC to compute the code.
  5. Copy the hex or Base64 output to use in your signature or comparison.

HMAC vs a plain hash

A plain hash like SHA-256 or MD5 is unkeyed: it maps a message to a digest, but anyone with the message can produce the same digest, so it only protects against accidental corruption. An HMAC mixes in a secret key, so only parties who know the key can compute or verify the code. This is what lets a server confirm that a webhook or API request really came from a trusted client and was not modified in transit. If you only need a fingerprint of some content, a plain hash is enough; if you need authenticity backed by a shared secret, use an HMAC.

Why use this HMAC generator?

  • Fully client-side: computed with the browser's native Web Crypto API, nothing is uploaded.
  • Supports SHA-256, SHA-1, SHA-384, and SHA-512.
  • Outputs both lowercase hexadecimal and Base64.
  • Deterministic: the same message, key, and algorithm always produce the same HMAC.
  • One-click copy of either output format.
  • No installation, sign-up, or external library required.

Frequently asked questions

Is my message or secret key sent to a server?

No. The HMAC is computed entirely in your browser using the native Web Crypto API. Your message, secret key, and the resulting code are never transmitted, stored, or logged. You can confirm this by watching your browser network tools while you generate an HMAC.

What is the difference between HMAC and SHA-256?

SHA-256 is a plain hash function that turns a message into a digest with no key involved, so anyone with the message can reproduce it. HMAC-SHA256 uses SHA-256 as its underlying hash but mixes in a secret key, so only someone who knows the key can compute or verify the result. Use a plain hash for fingerprinting and an HMAC when you need to prove authenticity with a shared secret.

Which hash algorithm should I choose?

HMAC-SHA256 is the most common and a solid default for new systems. SHA-384 and SHA-512 produce longer codes and can be used where a larger output is required. SHA-1 is offered for compatibility with older systems, but it is considered weak and should not be used for new designs. Pick the algorithm that matches whatever you are interoperating with.

Why does it output both hex and Base64?

Different systems expect HMACs in different encodings. Many APIs send the signature as lowercase hexadecimal, while others, including some webhook providers, use Base64. The same underlying bytes are shown in both formats so you can copy whichever one your integration needs.

Will the same inputs always give the same HMAC?

Yes. HMAC is fully deterministic. For a fixed message, secret key, and hash algorithm you always get exactly the same output. That is what lets a receiver recompute the HMAC and compare it to the one you sent to confirm the message is authentic and unchanged.