🔐 HMAC Generator

By ToolNimba Team · Updated 2026-06-19

Message

Secret key

Hash algorithm

HMAC (hex)

Enter a message and key, then press Generate HMAC.

This HMAC generator turns a message and a secret key into a keyed hash that anyone holding the same key can reproduce and verify. Pick SHA-256, SHA-1, or SHA-512, paste your message and key, and read back the hex digest instantly. Everything runs locally in your browser using the built-in Web Crypto API, so your secret key and message never leave the page.

HMAC (Hash-based Message Authentication Code) is the workhorse behind webhook signatures, API request signing, and tamper checks. Use this tool to test a signing routine, reproduce a signature you received, or learn how the algorithm behaves when you change the key or the message by a single character.

What is the HMAC Generator?

HMAC is a way to prove two things at once: that a message has not been altered, and that it came from someone who knows a shared secret key. A plain hash like SHA-256 only protects against accidental change, because anyone can recompute it. HMAC mixes a secret key into the hashing process, so only parties who hold the key can produce or check the value. The result is called a message authentication code.

The algorithm is defined in RFC 2104. It hashes the message together with two key-derived pads, an inner pad and an outer pad, in the pattern H(key XOR opad, H(key XOR ipad, message)). You do not have to do that by hand: the Web Crypto API does it for you. This tool calls importKey to load your secret as a raw HMAC key, then sign to produce the code, and finally converts the raw bytes to a hexadecimal string.

The output length depends on the chosen hash. HMAC-SHA1 returns 20 bytes (40 hex characters), HMAC-SHA256 returns 32 bytes (64 hex characters), and HMAC-SHA512 returns 64 bytes (128 hex characters). Because the result is deterministic, the same message and key always yield the same digest, which is exactly what lets a receiver verify it by computing the HMAC again and comparing.

When to use it

Verifying incoming webhook payloads from providers such as Stripe, GitHub, or Slack that sign each request with HMAC.
Signing outgoing API requests where the server expects an HMAC of the request body or canonical string.
Reproducing a signature you were given so you can confirm your own signing code matches the expected output.
Teaching or learning how a keyed hash differs from a plain hash by changing one character and watching the digest change completely.
Generating a short integrity tag for a configuration value or token so tampering can be detected later.

How to use the HMAC Generator

Type or paste the message you want to authenticate into the Message box.
Enter the shared secret key in the Secret key field. It is treated as raw UTF-8 text.
Choose the hash algorithm: SHA-256 is the common default, SHA-1 is legacy, and SHA-512 is the longest.
Press Generate HMAC, or just edit any field and the digest updates automatically.
Read the hexadecimal HMAC in the result box and press Copy to put it on your clipboard.

Formula & method

HMAC(K, m) = H((K′ XOR opad) ‖ H((K′ XOR ipad) ‖ m)), where H is the chosen hash (SHA-1, SHA-256, or SHA-512), K′ is the key padded or hashed to the block size, ipad is the byte 0x36 repeated, opad is the byte 0x5c repeated, and ‖ means concatenation.

Worked examples

Compute the classic RFC test vector: HMAC-SHA256 of the message "The quick brown fox jumps over the lazy dog" with the key "key".

Set the algorithm to SHA-256.
Enter key as the secret key.
Enter The quick brown fox jumps over the lazy dog as the message.
The tool imports the key and signs the message with HMAC-SHA256.

Result: f7bc83f430538424b13298e6aa6fb143ef4d59a14946175997479dbc2d1a3cd8 (64 hex characters).

See how a single character change in the key produces a completely different code for the same message.

Keep the message "Hello, ToolNimba" and algorithm SHA-256.
Use the key my-secret-key and note the digest.
Change the key to my-secret-keys (one extra letter) and regenerate.
Compare the two outputs character by character.

Result: With my-secret-key the digest is 2eb39c18d4c455b0f7d16798e0034f9372367ca4729bd3866c071d6de646ba2c, and the changed key gives an entirely different 64-character string, showing the avalanche effect.

HMAC output length by hash algorithm

Algorithm	Output bytes	Hex characters	Notes
HMAC-SHA1	20	40	Legacy, avoid for new designs
HMAC-SHA256	32	64	Widely used default
HMAC-SHA512	64	128	Longest, strong security margin

Common HMAC use in popular webhook providers

Provider	Typical algorithm	Where the signature appears
GitHub	HMAC-SHA256	X-Hub-Signature-256 header
Stripe	HMAC-SHA256	Stripe-Signature header
Slack	HMAC-SHA256	X-Slack-Signature header

Common mistakes to avoid

Confusing HMAC with a plain hash. A plain SHA-256 hash uses no key, so anyone can recompute it. HMAC requires the secret key, which is what makes it an authentication code. Make sure you are using the keyed function, not a bare digest.
Mismatched key encoding. This tool treats the key as raw UTF-8 text. If the other side expects the key as base64 or hex bytes, decode it first. A different byte interpretation of the same key string produces a different HMAC.
Hashing the wrong message bytes. Webhook providers usually sign the exact raw request body, sometimes joined with a timestamp. Re-serializing or pretty-printing the body changes the bytes and breaks the match. Sign the original bytes.
Comparing signatures with a simple equality check. In production code, compare HMAC values with a constant-time comparison to avoid timing attacks. A naive early-exit string comparison can leak information about how many characters matched.

Glossary

HMAC: Hash-based Message Authentication Code. A keyed hash that proves both the integrity and the authenticity of a message.
Secret key: A shared value known to both the sender and the verifier. Knowledge of the key is what lets a party create or check an HMAC.
Digest: The fixed-length output of a hash or HMAC, shown here as a hexadecimal string.
Hexadecimal: A base-16 text representation where each byte is written as two characters from 0 to 9 and a to f.
Avalanche effect: The property that a tiny change in the input flips about half the output bits, making outputs look unrelated.

Frequently asked questions

What is the difference between a hash and an HMAC?

A hash like SHA-256 takes only a message and can be computed by anyone, so it detects accidental change but not forgery. An HMAC also mixes in a secret key, so only someone who knows the key can produce or verify the value, which proves authenticity as well as integrity.

Which algorithm should I choose?

HMAC-SHA256 is the safe default and matches what most webhook providers and APIs use. Choose SHA-512 if a specification asks for it or you want a longer tag. Use SHA-1 only to interoperate with older systems, because SHA-1 is considered legacy.

Is my secret key or message sent anywhere?

No. The HMAC is computed entirely in your browser with the Web Crypto API. Nothing you type is uploaded, logged, or transmitted, which makes the tool safe for testing real keys on a machine you trust.

Why does HMAC-SHA1 still look fairly secure here?

HMAC-SHA1 has held up better than plain SHA-1 because the key and the inner and outer pads make collision attacks impractical. Even so, new systems should prefer SHA-256 or SHA-512 to stay aligned with current guidance.

How do I verify a signature I received?

Put the exact same message bytes and the same secret key into this tool, choose the matching algorithm, and compare the generated hex with the signature you received. If every character matches, the signature is valid.

Can I get the output in base64 instead of hex?

This tool shows the result in hexadecimal because that is the most common format for signatures. To convert, decode the hex back to bytes and encode those bytes as base64 using a separate base64 tool.