Skip to main content
Devs2.org

HMAC Generator

Generate HMAC signatures with your secret key

Create HMAC (Hash-based Message Authentication Code) signatures from any message and secret key. Essential for API authentication, webhook verification, and secure message signing. Choose from multiple hash algorithms including SHA256, SHA512, and SHA3 variants. Everything runs locally in your browser.

Creating an HMAC signature

Here's how to use this tool:

  • Type or paste your message into the input box
  • Enter your secret key (this is what makes your HMAC unique)
  • Pick a hash algorithm - SHA256 is usually the best choice
  • The HMAC appears automatically - copy it and you're done

Related Tools

You May Also Need

What HMAC does and why developers love it

HMAC stands for Hash-based Message Authentication Code, and it's basically a way to prove that a message came from someone who knows a secret key. Unlike regular hashing (which anyone can do), HMAC requires both the message and a secret key. This makes it perfect for API authentication - when you make a request, you include an HMAC signature. The server can verify it came from you by recreating the HMAC with the same secret key. If the signatures match, they know it's authentic. It's used everywhere from GitHub webhooks to AWS API requests to OAuth flows.

Where you'll actually use HMAC

  • API security: Sign your API requests so servers know they're legitimate
  • Webhook verification: Verify that webhooks really came from the service you expect
  • Message signing: Prove messages haven't been tampered with in transit
  • JWT tokens: Many JSON Web Token implementations use HMAC for signing
  • OAuth flows: Part of the OAuth authentication process
  • Payment processing: Verify payment notifications and webhooks

Which algorithm should you pick?

  • SHA256: The default choice for most applications - good balance of security and speed
  • SHA512: When you need extra security and don't mind longer hashes
  • SHA3 variants: Modern alternatives with different security properties
  • SHA224/SHA384: Less common but available if you need specific hash lengths
  • MD5/SHA1: Only for legacy compatibility - avoid for new projects

Frequently Asked Questions (FAQs)

What's the difference between HMAC and a regular hash?

A regular hash (like SHA256) only proves integrity - you can verify data hasn't changed. HMAC adds authentication - it proves the data came from someone who knows your secret key. Think of it like this: a hash is like a tamper-evident seal, but HMAC is like a signature that only someone with the right key can create.

Which HMAC algorithm should I use for my project?

For most cases, go with SHA256. It's the industry standard, well-tested, and provides excellent security. SHA512 gives you more security but produces longer hashes. Only use MD5 or SHA1 if you're working with legacy systems that require them - they're not secure enough for new projects.

How secure is HMAC really?

HMAC is considered very secure when you use a strong hash algorithm like SHA-256 or SHA-512. The security depends on two things: keeping your secret key truly secret, and using a secure hash function. As long as your key stays private and you're using SHA256 or better, HMAC provides strong authentication.

Can I use HMAC to hash passwords?

Technically yes, but it's not the best choice. HMAC is designed for message authentication, not password storage. For passwords, you want functions specifically designed to be slow and resist brute-force attacks - like bcrypt, Argon2, or PBKDF2. These make it computationally expensive to try millions of password guesses.

What happens if someone gets my secret key?

If your secret key leaks, anyone can create valid HMAC signatures pretending to be you. That's why key security is critical - store keys securely, rotate them periodically, and never commit them to version control. Treat your HMAC secret key like you would a password - keep it private and change it if it might be compromised.

Recently Used Tools