What is HMAC Generator?

An HMAC generator creates keyed-hash message authentication codes using a secret key and a hash algorithm (SHA-256, SHA-512, etc.). HMACs verify both data integrity and authenticity, commonly used in API authentication, webhook signatures, and JWT tokens.

HMAC mixes a secret key into the hash so anyone who can verify the signature must already know that key. The tool supports SHA-1, SHA-256, SHA-384, and SHA-512 with hex, Base64, Base64URL, or raw binary output, plus one-click presets for GitHub, Stripe, Slack, and Shopify webhooks that pre-fill the right algorithm and header prefix. The message can be typed as plain text or pasted already encoded as hex, Base64, or Base64URL — it's decoded to raw bytes before signing. A live byte count flags secret keys shorter than the production-safe 32 bytes, the signature recomputes as you type, and a verify field tolerates the sha256= or v0= prefixes those providers send. Both message and key are processed on your device.

How to use

1. Step 1 — Enter your message and secret key.
2. Step 2 — Pick a webhook preset (GitHub, Stripe, Slack, Shopify) or set the hash algorithm (SHA-1, SHA-256, SHA-384, or SHA-512) and output encoding (hex, Base64, Base64URL, or binary) yourself. Paste a pre-encoded payload by switching the message input to Hex or Base64.
3. Step 3 — Copy the generated HMAC signature for use in API headers or webhook verification.

When to use

• Signing webhook payloads so the receiver can verify they came from you and weren't modified.
• Generating request signatures for AWS Signature Version 4 or similar API authentication schemes.
• Producing JWT signatures using the HS256, HS384, or HS512 algorithms.

Result

Your payment API requires HMAC-SHA256 signed requests. Enter the request body as the message, your API secret as the key, and copy the resulting signature into the X-Signature header.

FAQ

What's the difference between HMAC and a plain SHA-256 of message+key?

HMAC uses a specific double-hashing construction with inner and outer padded keys. This protects against length-extension attacks that affect naïve hash(key || message) schemes built on SHA-1 or SHA-256.

Should I use hex or Base64 for the output?

Match what the API or webhook provider expects. Hex is common in HTTP headers (Stripe, GitHub), Base64 is common in JSON bodies and JWT. The same signature works either way, only the encoding differs.

How long should my secret key be?

Use at least 32 bytes (256 bits) of random data, ideally generated from a cryptographic source. Shorter keys reduce security; longer than the hash's block size (64 bytes for SHA-256) gives no additional strength because HMAC hashes them down internally.

Why does my signature differ from the one the API sent me?

Usually a mismatch in what gets signed. Whitespace, line endings, the exact order of query parameters, URL encoding, and whether to include the timestamp all matter. Read the provider's signing recipe carefully and reproduce it byte for byte.

Is HMAC-SHA1 still safe to use?

For new systems prefer HMAC-SHA256 or stronger. HMAC-SHA1 remains technically secure because the construction doesn't depend on collision resistance, but moving off SHA-1 across the board is the safer long-term default.

Related Tools