HMAC Generator
Compute an HMAC over any message with a secret key. HMAC is the standard way to sign and verify webhooks and API requests, so you can use this to reproduce a signature header (for example Stripe, GitHub or Shopify) and confirm it matches.
How to generate an HMAC
- Paste the message or payload you want to authenticate.
- Enter the shared secret key and pick a hash algorithm (SHA-256 is the common default).
- Copy the resulting HMAC in hex or base64 and compare it to the signature you received.
Examples
RFC 4231 test vector
message "what do ya want for nothing?", key "Jefe", SHA-256
5bdcc146bf60754e6a042426089575c75a003f089d2739839dec58b964ec3843
Frequently asked questions
What is the difference between an HMAC and a plain hash?
A plain hash like SHA-256 only depends on the message, so anyone can recompute it. An HMAC also mixes in a secret key, so only parties who know the key can produce or verify it. That is what makes it useful for authentication.
How do I verify a webhook signature with this?
Most providers sign the raw request body with your endpoint secret using HMAC-SHA256. Paste the exact raw body as the message and your signing secret as the key, then compare the output to the signature header they sent.
Should I use hex or base64 output?
Match whatever the provider uses. GitHub and Stripe send hex, while some APIs use base64. The tool offers both so you can compare directly.
Which algorithm should I choose?
SHA-256 is the modern default. SHA-1 is still seen in older systems but is weaker, and SHA-384 or SHA-512 give a longer tag if a provider requires it.
Is my key or message sent to a server?
No. The HMAC is computed locally in your browser with the Web Crypto API. Your secret key and message never leave your machine.
Related tools
TOTP Generator
Generate time-based one-time passwords from a base32 secret, just like an authenticator app. Test 2FA flows with live RFC 6238 codes in your browser.
JWT Generator
Create a signed HS256 JSON Web Token from a JSON payload and secret. Signs in your browser, nothing is sent to a server. Great for testing.
SRI Hash Generator
Generate a Subresource Integrity hash and a ready-to-paste script or link tag from your asset contents. Hashed in your browser, nothing is uploaded.
Hash Generator
Generate SHA-1, SHA-256, SHA-384 and SHA-512 hashes from any text. Live, lowercase hex output that runs entirely in your browser.
AES Encryption
Encrypt and decrypt text with AES-GCM and a password. Uses 256-bit keys derived with PBKDF2, runs entirely in your browser, and nothing is uploaded.
CSP Analyzer
Paste a Content-Security-Policy header and get it parsed into directives and audited for weaknesses, with severity and fixes. Runs in your browser.