HMAC Generator
Generate HMAC-SHA-1/256/384/512 signatures for API authentication and message integrity verification.
All computation uses the Web Crypto API and runs entirely in your browser. Keys and messages are never sent to a server.
About this tool
HMAC (Hash-based Message Authentication Code) is a mechanism for verifying the integrity and authenticity of a message using a secret key combined with a cryptographic hash function. The receiver can verify an HMAC only if they possess the same secret key, which proves the message was created by someone with access to that key and has not been altered in transit.
HMAC is defined by a specific construction: the key is padded and XORed with constant values (ipad and opad), and the hash is computed twice — once on the inner key and message, and again on the outer key and the inner hash result. This double-hashing construction is provably secure as long as the underlying hash function is secure, and it prevents several attacks that would apply to a naive MAC(key, message) = H(key || message) construction.
Practical uses of HMAC include signing webhook payloads (so webhook receivers can verify requests came from the expected sender and were not tampered with), signing API requests (AWS Signature Version 4 uses HMAC-SHA256), generating secure download tokens, cookie integrity verification, and as a building block in key derivation functions (PBKDF2 uses HMAC internally). HMAC is symmetric — the same key signs and verifies — unlike asymmetric digital signatures (RSA, ECDSA) where the private key signs and the public key verifies.