All Tools About Blog Code Examples MCP Server — Use tools from AI agents
Workflows Paste Anything — Smart Detector Tool Pipeline Builder Bulk / Batch Processor
JSON Tools JSON Formatter & Beautifier JSON Validator JSON to CSV Converter JSON to TypeScript Generator JSON to Python Converter JSON Flatten & Unflatten jq Playground — JSON Processor JSON Mock Data Generator JSON Schema Validator JSONPath Evaluator JSON Schema Generator JSON Patch / Diff Generator
Encoding Tools Base64 Encoder / Decoder URL Encoder / Decoder Hash Generator (MD5/SHA) JWT Decoder HTML Entity Encoder / Decoder Image to Base64 Converter String Escape / Unescape Tool ASCII / Binary / Hex Converter Protobuf Decoder — Wire Format Viewer Encoding Detective — Mojibake Repair
Formatters HTML Beautifier XML Formatter & Validator SQL Formatter & Beautifier CSS Minifier & Beautifier JavaScript Minifier & Beautifier TOML Formatter & Converter YAML Formatter, Validator & Minifier
Generators UUID Generator Password Generator QR Code Generator Lorem Ipsum Generator Cron Expression Generator chmod Calculator Slug / URL Generator .gitignore Generator
Testing Tools Regex Tester Regex Explainer — Plain English
Security Tools HMAC Generator Content Security Policy Generator SSH Key Generator SSL Certificate Decoder CORS Header Builder & Generator
Design Tools Color Picker & Converter Placeholder Image Generator SVG Path Editor & Visualizer
Comparison Tools Diff Checker / Text Compare .env Diff & Merge
Converters JSON-YAML Converter Epoch / Unix Timestamp Converter Markdown to HTML Preview Curl to Fetch/Axios Converter Tailwind CSS Converter OpenAPI to TypeScript Text Case Converter Number Base Converter CSV Viewer & Editor Date & Time Format Converter SQL to MongoDB & N1QL Converter Semver Calculator & Comparator Byte / Size Calculator URL Parser & Builder Glob to Regex Converter Math Expression Evaluator SQL DDL to TypeScript Converter Duration / Time Calculator CSS Unit Converter — px, rem, em, pt, vw, vh JSON to Go Struct Converter HTML to Markdown Converter CSV to SQL Converter SQL to ORM Converter
Reference HTTP Status Code Explorer Git Command Builder GraphQL Schema Explorer MIME Type Lookup
Text Tools Word & Character Counter Text Line Sorter, Deduplicator & Tools
Networking Tools Subnet / CIDR Calculator
DevOps Tools Nginx Config Generator Docker Compose Validator Robots.txt Generator & Validator GitHub Actions YAML Validator

HMAC Generator

Generate HMAC-SHA256, HMAC-SHA512, and HMAC-SHA1 signatures. Verify webhooks, sign API requests, and test JWT tokens. Free, client-side.

Your data never leaves your browser Available via MCP
Next steps
Hash Generator JWT Decoder Base64 Passwords

How to Use

  1. Select an HMAC algorithm — HMAC-SHA256 is the most widely used.
  2. Enter your secret key in the key field (click Show to reveal it).
  3. Enter or paste the message to authenticate.
  4. The HMAC signature updates automatically. Switch between hex and Base64 output.
  5. To verify a webhook signature, click Verify mode, paste the expected signature, and check if it matches.
  6. Click Copy to copy the result.

What Is HMAC?

HMAC (Hash-based Message Authentication Code) is defined in RFC 2104. It combines a cryptographic hash function (like SHA-256) with a secret key to produce a signature that verifies both the integrity and authenticity of a message. The key insight: even if an attacker knows the hash algorithm and the message, they cannot forge a valid HMAC without the secret key.

The HMAC construction works by XOR-ing the key with two different padding constants (ipad and opad), then hashing the result in two passes: HMAC(K, m) = H((K' XOR opad) || H((K' XOR ipad) || m)). This double-hashing construction provides security even if the underlying hash function has certain weaknesses.

Common Use Cases

  • Webhook verification — Stripe, GitHub, Slack, and most SaaS providers sign webhook payloads with HMAC-SHA256. You verify by computing the HMAC of the request body with your webhook secret and comparing it to the signature header.
  • JWT signing — JWTs using HS256, HS384, or HS512 algorithms are signed with HMAC. The signature ensures the token hasn't been tampered with.
  • API authentication — AWS Signature V4 uses HMAC-SHA256 to sign API requests, proving the caller possesses the secret access key without transmitting it.
  • Message authentication — TLS, IPsec, and SSH use HMAC to verify that messages haven't been modified in transit.

Verifying Webhook Signatures

Most webhook providers include an HMAC signature in a header like X-Hub-Signature-256 (GitHub) or Stripe-Signature. To verify: compute the HMAC of the raw request body using your webhook secret, then compare it to the header value. Use this tool to quickly test whether your secret and payload produce the expected signature.

HMAC in Code

In JavaScript, use the Web Crypto API: crypto.subtle.importKey() then crypto.subtle.sign('HMAC', key, data). In Node.js, use crypto.createHmac('sha256', secret).update(message).digest('hex'). In Python, use hmac.new(key, msg, hashlib.sha256).hexdigest().

HMAC-SHA1 Security

While plain SHA-1 is considered broken for collision resistance, HMAC-SHA1 remains cryptographically secure. The HMAC construction's security depends on the hash function's pseudorandom function (PRF) properties, not its collision resistance. However, most new implementations prefer HMAC-SHA256 to avoid confusion and future-proof against potential attacks.

Related Tools

Generate plain hashes with the Hash Generator. Decode and inspect JWT tokens signed with HMAC. Encode binary data with the Base64 Encoder. Generate secure keys with the Password Generator. Test API requests with the Curl Converter.

Frequently Asked Questions

What is HMAC?
HMAC (Hash-based Message Authentication Code) combines a cryptographic hash function with a secret key to produce a keyed hash. Unlike a plain hash, HMAC proves both the integrity of the message and that the sender possesses the secret key.
What is the difference between a hash and an HMAC?
A hash (like SHA-256) takes only a message and produces a digest — anyone can compute the same hash. An HMAC takes both a message and a secret key, so only parties who know the key can produce or verify the signature. This makes HMAC suitable for authentication, while plain hashes are only suitable for integrity checks.
When should I use HMAC?
Use HMAC to verify webhook signatures (Stripe, GitHub, Slack), authenticate API requests with shared secrets, sign JWT tokens (HS256/HS384/HS512), and implement message authentication in protocols like TLS.
Is my secret key safe?
Yes. All HMAC computation happens entirely in your browser using the Web Crypto API. Your secret key and message are never sent to any server.
Which HMAC algorithm should I use?
HMAC-SHA256 is the most common choice and is used by most webhook providers and JWT implementations. HMAC-SHA512 provides a larger security margin. HMAC-SHA1 is still cryptographically secure for HMAC use (unlike plain SHA-1 for hashing) but is being phased out in favor of SHA-256.

Related Tools

Content Security Policy Generator

Generate Content Security Policy headers with an interactive builder. Configure all CSP directives with presets and custom domains.

SSH Key Generator

Generate RSA and ECDSA SSH key pairs entirely in your browser. Private keys never leave your device.

SSL Certificate Decoder

Decode PEM-encoded SSL/TLS certificates and view subject, issuer, validity dates, SANs, and key information.

CORS Header Builder & Generator

Generate CORS headers interactively. Output as HTTP headers, Nginx config, Express middleware, or Apache .htaccess.

Paste Anything — Smart Detector

Paste any text and instantly detect its format — JSON, JWT, Base64, UUID, SQL, timestamps, colors, and more.

Use this tool from AI agents. The CodeTidy MCP Server lets Claude, Cursor, and other AI agents use this tool and 46 others directly. One command: npx @codetidy/mcp

Drop file to load