HMAC Signature Generator & Calculator

Generate HMAC-SHA256, HMAC-SHA512, HMAC-SHA1, and HMAC-MD5 signatures from a message and secret key. Verify webhook signatures from Stripe, GitHub, Slack, and Shopify. Output in hex or Base64 format. Essential for API request signing, webhook payload verification, and message authentication.

HMAC Generator: Enter a message and secret key, select a hash algorithm (SHA-256, SHA-512, etc.), and get the HMAC output instantly. Use it for API authentication, webhook verification, and message integrity checks.

HMAC Generator

Compute Hash-based Message Authentication Codes

Plain Text Input

Secret Key

The secret key is used to sign the message.

HMAC Output

Secure & Client-Side

All computations happen directly in your browser. Your message and secret key never leave your device.

Versatile Hashing

Supports standard algorithms like SHA-256 (standard for JWTs) and legacy MD5 for compatibility.

Key Takeaways

HMAC combines a secret key with a hash function for authentication
Supports SHA-1, SHA-256, SHA-384, SHA-512, and MD5 algorithms
Used by APIs (AWS, Stripe, GitHub) for request signing and webhook verification
HMAC is more secure than plain hashing — it prevents length extension attacks
Output is a fixed-length hex string regardless of input size

What is HMAC Generator?

HMAC Generator — An HMAC Generator is a free tool that creates Hash-based Message Authentication Codes using a secret key and a hash algorithm to verify data integrity and authenticity.

Calculate HMAC (Hash-based Message Authentication Code) signatures with this free online tool. Enter your message payload and secret key, select the hash algorithm (HMAC-SHA256, HMAC-SHA512, HMAC-SHA1, or HMAC-MD5), and generate the signature in hex or Base64 format. HMAC is the standard mechanism for API request signing and webhook payload verification used by Stripe, GitHub, Slack, Shopify, AWS, and most modern APIs. Use this tool to debug signature mismatches, verify webhook payloads, test API authentication implementations, and compare HMAC outputs across programming languages (Node.js, Python, Go, PHP).

How to Use HMAC Generator

1
Paste the exact message or webhook payload body — whitespace and encoding must match exactly.
2
Enter the shared secret key provided by your API service (Stripe webhook secret, GitHub secret, etc.).
3
Select the hash algorithm (HMAC-SHA256 is most common) and output format (hex or Base64).
4
Compare the generated HMAC signature with the one in your webhook header or API response.

Key Features

HMAC-SHA256, HMAC-SHA512, HMAC-SHA1, and HMAC-MD5 algorithms

Hex and Base64 output format selection

Exact payload input for precise webhook signature reproduction

One-click copy for comparing with API headers and webhook signatures

Client-side computation — secret keys never transmitted to any server

Use Cases

Verifying Stripe, GitHub, Slack, and Shopify webhook signatures

Debugging API request signing for AWS Signature v4 and custom HMAC auth

Testing HMAC implementations across Node.js, Python, Go, and PHP

Validating message integrity for secure inter-service communication

About HMAC Generator

HMAC combines a secret key with a hash function to produce a signature that verifies both the integrity and authenticity of a message. Unlike plain hashing (SHA-256 alone), HMAC prevents length extension attacks and ensures that only parties with the shared secret can generate valid signatures. HMAC-SHA256 produces a 64-character hex string regardless of input size.

The most common cause of HMAC signature mismatches is payload canonicalization — extra whitespace, different line endings (CRLF vs LF), or JSON key ordering can change the signature even when the content appears identical. Always use the raw request body bytes for webhook verification, not a parsed-and-re-serialized version.

Frequently Asked Questions

What is the difference between HMAC and plain SHA-256 hashing?: Plain SHA-256 hashes only the message — anyone can compute it. HMAC-SHA256 requires a secret key, so only parties with the key can generate or verify the signature. HMAC also prevents length extension attacks.
How do I verify a Stripe webhook signature?: Use the Stripe webhook signing secret (whsec_...) as the key, the raw request body as the message, and HMAC-SHA256 with hex output. Compare with the signature in the Stripe-Signature header.
Why does my HMAC signature not match the expected value?: Common causes: using parsed JSON instead of raw body bytes, wrong encoding (UTF-8 vs ASCII), wrong algorithm (SHA-256 vs SHA-1), hex vs Base64 mismatch, or extra whitespace/newlines in the payload.
Which HMAC algorithm should I use?: HMAC-SHA256 is the standard for most modern APIs (Stripe, GitHub, Shopify). HMAC-SHA512 offers more bits but is slower. HMAC-SHA1 is legacy but still used by some older APIs. Avoid HMAC-MD5 for new implementations.
Is HMAC secure for API authentication?: Yes. HMAC is a proven, standardized mechanism for message authentication used in production by AWS, Stripe, GitHub, and thousands of APIs. Use a strong random secret key and always use constant-time comparison to prevent timing attacks.
Can I use HMAC for password hashing?: No. HMAC is fast by design, making it unsuitable for password hashing. Use dedicated password hashing algorithms like bcrypt or Argon2 that include deliberate computational slowness and salting.

Loading your tools...

Frequently Asked Questions

What is the difference between HMAC and plain SHA-256 hashing?

Plain SHA-256 hashes only the message — anyone can compute it. HMAC-SHA256 requires a secret key, so only parties with the key can generate or verify the signature. HMAC also prevents length extension attacks.

How do I verify a Stripe webhook signature?

Use the Stripe webhook signing secret (whsec_...) as the key, the raw request body as the message, and HMAC-SHA256 with hex output. Compare with the signature in the Stripe-Signature header.

Why does my HMAC signature not match the expected value?

Common causes: using parsed JSON instead of raw body bytes, wrong encoding (UTF-8 vs ASCII), wrong algorithm (SHA-256 vs SHA-1), hex vs Base64 mismatch, or extra whitespace/newlines in the payload.

Which HMAC algorithm should I use?

HMAC-SHA256 is the standard for most modern APIs (Stripe, GitHub, Shopify). HMAC-SHA512 offers more bits but is slower. HMAC-SHA1 is legacy but still used by some older APIs. Avoid HMAC-MD5 for new implementations.

Is HMAC secure for API authentication?

Yes. HMAC is a proven, standardized mechanism for message authentication used in production by AWS, Stripe, GitHub, and thousands of APIs. Use a strong random secret key and always use constant-time comparison to prevent timing attacks.

Can I use HMAC for password hashing?

No. HMAC is fast by design, making it unsuitable for password hashing. Use dedicated password hashing algorithms like bcrypt or Argon2 that include deliberate computational slowness and salting.

Tools

Finance

AI

Media

Marketing

More

HMAC Signature Generator & Calculator

Key Takeaways

What is HMAC Generator?

How to Use HMAC Generator

Key Features

Use Cases

About HMAC Generator

Frequently Asked Questions

HMAC Signature Generator & Calculator

Key Takeaways

What is HMAC Generator?

How to Use HMAC Generator

Key Features

Use Cases

About HMAC Generator

Frequently Asked Questions