HMAC Generator

HMAC (Hash-based Message Authentication Code) is a mechanism for calculating a message authentication code using a cryptographic hash function combined with a secret key. It provides both data integrity and authentication — the receiver can verify that the message has not been altered and that it was sent by someone who knows the shared secret key.

Unlike a plain hash (like SHA-256), an HMAC requires a secret key. This means that even if an attacker knows the message, they cannot compute the correct HMAC without the key. This property makes HMAC essential for webhook signature verification, API authentication, JWT signing (HS256/HS384/HS512), and secure token generation.

This tool supports three HMAC algorithms: HMAC-SHA256 (256-bit output), HMAC-SHA384 (384-bit output), and HMAC-SHA512 (512-bit output). HMAC-SHA256 is the most commonly used — it is the algorithm behind JWT HS256 signatures, AWS Signature v4, Stripe webhook verification, and many other authentication systems.

The HMAC computation follows RFC 2104: the key is padded and XORed with inner and outer padding constants, then combined with the message in two rounds of hashing. The Web Crypto API implements this securely in the browser, avoiding any need for custom cryptographic code.

All HMAC calculations happen in your browser using the Web Crypto API. Your secret keys and messages are never transmitted to any server. This makes the tool safe for computing HMACs with production API keys, webhook secrets, and other sensitive credentials.