What key length should I use for HMAC?

Use a key at least as long as the hash output — 32 bytes for HMAC-SHA-256, 64 bytes for HMAC-SHA-512. Use a cryptographically random key, not a human-readable password. Our HMAC generator accepts any string as a key.

Can I use HMAC for JWT tokens?

Yes. JWT tokens using HS256, HS384, or HS512 algorithms use HMAC-SHA-256, HMAC-SHA-384, or HMAC-SHA-512 respectively. The JWT signature is HMAC(base64url(header) + "." + base64url(payload), secret) with Base64URL output. Our HMAC generator can compute this for debugging and verification.

HMAC Generator

Generate HMAC signatures online for free with our HMAC generator. Compute HMAC-SHA-256, SHA-384, SHA-512, and SHA-1 signatures for API authentication, webhook verification, and JWT tokens. Supports hex, Base64, and Base64URL output — all computed locally in your browser, no signup required.

HMAC Generator

Enter your message and secret key, select an algorithm and output format, then click Generate. All HMAC signatures are computed locally in your browser using the Web Crypto API — your data never leaves your device.

Algorithm

Output Format

Message / Payload

Secret Key

Expected output: 64 chars · Algorithm: HMAC-SHA-256

Quick Reference

HMAC-SHA-256: Standard choice for APIs, webhooks, and JWT HS256

HMAC-SHA-512: Maximum security for high-value signatures

Hex output: Lowercase hex string, common in API signatures

Base64URL: URL-safe, used in JWT tokens and OAuth

Why Use Our HMAC Generator?

Instant HMAC Signature Generation

Our HMAC generator computes signatures in milliseconds using your browser's native Web Crypto API. Generate HMAC-SHA-256, SHA-384, and SHA-512 signatures instantly — no waiting, no page reloads.

Secure HMAC Generator Online

All HMAC computations run entirely in your browser. Your message payload and secret key never leave your device, ensuring complete privacy when you generate HMAC signatures online.

HMAC Generator Online — No Installation

Use our HMAC generator directly in any browser with no downloads, plugins, or account required. Generate HMAC signatures from any device — desktop, tablet, or mobile — for free.

Multiple Algorithms and Output Formats

Our HMAC generator supports HMAC-SHA-256, HMAC-SHA-384, HMAC-SHA-512, and HMAC-SHA-1 with hex, Base64, and Base64URL output formats — covering every API, webhook, and JWT use case.

Common Use Cases for HMAC Generator

API Request Authentication

APIs use HMAC signatures to verify that requests come from authorized clients. Use our HMAC generator to sign API payloads with your secret key and verify that the signature matches what your server expects.

Webhook Signature Verification

Webhook providers like Stripe, GitHub, and Shopify sign payloads with HMAC-SHA-256. Use our HMAC generator to manually verify webhook signatures during development and debugging.

JWT HS256 / HS512 Token Signing

JSON Web Tokens using HS256 or HS512 algorithms use HMAC for signing. Our HMAC generator helps you understand and verify JWT signatures by computing the expected HMAC of the header.payload string.

Message Integrity Verification

HMAC ensures that a message has not been tampered with in transit. Use our HMAC generator to create and verify message authentication codes for secure communication between systems.

OAuth 1.0 Signature Computation

OAuth 1.0 uses HMAC-SHA1 for request signing. Our HMAC generator supports HMAC-SHA-1 output so you can manually compute and verify OAuth signatures during API integration and debugging.

Security Testing & Debugging

Security engineers and developers use our HMAC generator to test authentication implementations, verify signature algorithms, and debug HMAC mismatches in API integrations and webhook handlers.

Understanding HMAC Signatures

What is HMAC?

HMAC (Hash-based Message Authentication Code) is a cryptographic mechanism that combines a secret key with a hash function (SHA-256, SHA-512, etc.) to produce a fixed-length signature. Unlike a plain hash, an HMAC signature can only be verified by someone who knows the secret key — making it ideal for authenticating messages between two parties who share a secret. Our HMAC generatoruses the browser's native Web Crypto API to compute HMAC signatures entirely client-side.

HMAC is defined in RFC 2104 and is used in HTTPS, JWT tokens, API authentication, webhook verification, and OAuth. It provides both data integrity (the message was not modified) and authentication (the message came from someone with the secret key).

How Our HMAC Generator Works

Enter Your Message and Key: Paste your message payload and secret key into the input fields. Our HMAC generator accepts any text — JSON payloads, plain strings, or structured data.
Instant Browser-Based Processing: Select your algorithm and output format, then click Generate. The HMAC computation runs entirely in your browser using the Web Crypto API. Your message and secret key never leave your device.
Copy or Download the Signature: The HMAC signature is displayed in your chosen format (hex, Base64, or Base64URL). Copy it to your clipboard or download it as a text file for use in your application.

Supported Algorithms and Output Formats

HMAC-SHA-256: The most widely used HMAC algorithm. Produces a 256-bit (32-byte) signature. Used in AWS Signature V4, Stripe webhooks, GitHub webhooks, and JWT HS256 tokens.
HMAC-SHA-384: Produces a 384-bit (48-byte) signature. Provides higher security than SHA-256 with moderate performance overhead. Used in high-security API authentication.
HMAC-SHA-512: Produces a 512-bit (64-byte) signature. Maximum security for HMAC operations. Used in JWT HS512 tokens and high-value transaction signing.
HMAC-SHA-1: Legacy algorithm producing a 160-bit (20-byte) signature. Still used in OAuth 1.0 and some older APIs. Not recommended for new implementations — prefer SHA-256 or higher.

Important Security Notes

The security of an HMAC signature depends entirely on the secrecy of your key. Use a cryptographically random key of at least 32 bytes (256 bits) for HMAC-SHA-256. Never use predictable values like passwords or sequential numbers as HMAC keys. Our HMAC generator computes signatures locally in your browser — your secret key is never transmitted over the network. Always store HMAC keys securely and rotate them regularly in production systems.

Related Tools

RSA/ECDSA Key Generator

Generate cryptographically secure RSA and ECDSA public/private key pairs using the Web Crypto API - Free online key generator

Cryptographically Secure Password Generator

Generate high-entropy passwords with browser cryptographic randomness and policy controls - Free secure password generator

UUID / GUID Batch Generator

Generate batches of up to 10,000 cryptographically secure UUID v4 (random) or UUID v7 (time-ordered) identifiers in your browser - Free online UUID generator

AES File Encryptor/Decryptor

Encrypt and decrypt files locally using AES-256-GCM with PBKDF2 passphrase-based key derivation - Free online AES file encryptor

Frequently Asked Questions About HMAC Generator

An HMAC generator is a tool that computes Hash-based Message Authentication Codes — cryptographic signatures that combine a secret key with a hash function to authenticate messages. Our HMAC generator supports HMAC-SHA-256, SHA-384, SHA-512, and SHA-1 with hex, Base64, and Base64URL output, running entirely in your browser.

A regular hash (like SHA-256) produces the same output for the same input regardless of who computes it — anyone can verify or reproduce it. HMAC requires a secret key, so only parties who know the key can produce or verify the signature. This makes HMAC suitable for authentication, while plain hashes are used for integrity checking.

Use HMAC-SHA-256 for most applications — it is the industry standard for API authentication, webhooks, and JWT HS256 tokens. Use HMAC-SHA-512 for maximum security or JWT HS512. Avoid HMAC-SHA-1 for new implementations as SHA-1 is considered legacy, though it is still required for OAuth 1.0 compatibility.

Absolutely. All HMAC computations run entirely in your browser using the Web Crypto API. Your secret key and message payload never leave your device and are never transmitted to any server. You can use our HMAC generator online with complete privacy.

Yes — our HMAC generator is 100% free with no signup, no account, no premium tier, and no usage limits. Generate as many HMAC signatures as you need, at no cost.

Use hex for most API signatures (AWS, Stripe, GitHub webhooks). Use Base64URL for JWT tokens and OAuth 2.0 flows. Use Base64 for systems that expect standard Base64 encoding. All three formats represent the same underlying HMAC signature — just encoded differently.

To verify a webhook signature, compute the HMAC of the raw request body using your webhook secret key and compare it to the signature in the request header. For example, Stripe sends X-Stripe-Signature with a HMAC-SHA-256 hex signature. Use our HMAC generator to compute the expected signature and compare it manually during debugging.

Use a key at least as long as the hash output — 32 bytes (256 bits) for HMAC-SHA-256, 64 bytes for HMAC-SHA-512. Shorter keys reduce security. Use a cryptographically random key generated by a secure random number generator, not a human-readable password. Our HMAC generator accepts any string as a key.

Yes. JWT tokens using HS256, HS384, or HS512 algorithms use HMAC-SHA-256, HMAC-SHA-384, or HMAC-SHA-512 respectively. The JWT signature is computed as HMAC(base64url(header) + "." + base64url(payload), secret) with Base64URL output. Our HMAC generator can compute this signature for debugging and verification purposes.