Loading your tools...
HMAC Generator & Calculator
Securely generate Hash-based Message Authentication Codes using secret keys and standard hashing algorithms like SHA-256 and MD5.
HMAC Generator
Compute Hash-based Message Authentication Codes
The secret key is used to sign the message.
Secure & Client-Side
All computations happen directly in your browser. Your message and secret key never leave your device.
Versatile Hashing
Supports standard algorithms like SHA-256 (standard for JWTs) and legacy MD5 for compatibility.
What is HMAC Generator?
The **HMAC Generator** is a free online tool for developers to compute Hash-based Message Authentication Codes. HMACs are widely used in APIs (like Stripe, Slack, or AWS) to verify **data integrity** and **authenticity**. By combining a cryptographic hash function (like SHA-256) with a secret key, HMAC ensures that the message hasn't been tampered with and comes from a trusted source.
How to Use HMAC Generator
1
**Enter Message**: Type or paste the plain text string you want to authenticate.
2
**Enter Secret Key**: Input your secret signing key. This is used to generate the unique signature.
3
**Select Algorithm**: Choose a hashing algorithm. **SHA-256** is the industry standard for most modern APIs.
4
**Copy Result**: Get your HMAC signature in **Hexadecimal** or **Base64** format instantly.
Key Features
**Multiple Algorithms**: Supports MD5, SHA-1, SHA-224, SHA-256, SHA-384, SHA-512, and RIPEMD-160.
**Privacy First**: Runs 100% in your browser using `crypto-js`. Your keys and data are never sent to our servers.
**Live Calculation**: Generates the hash instantly as you type.
**Flexible Output**: Toggle between Hex (standard) and Base64 (used in some web headers) formats.
**Secure Input**: 'Eye' toggle allows you to hide your secret key from prying eyes.
About HMAC Generator
How HMAC Works
HMAC (Hash-based Message Authentication Code) is defined in **RFC 2104**. It's more than just `hash(key + message)`, which is vulnerable to "length extension attacks". Instead, HMAC uses a nested hashing structure:
HMAC(K, m) = H( (K' ⊕ opad) || H( (K' ⊕ ipad) || m ) )
- H: The cryptographic hash function (e.g., SHA-256).
- K': The secret key K, padded to the block size of the hash function.
- m: The message to be authenticated.
- opad: Outer padding (0x5c repeating).
- ipad: Inner padding (0x36 repeating).
- ⊕: Bitwise XOR operation.
- ||: Concatenation.
HMAC vs. Hash vs. Digital Signature
| Feature | Simple Hash (SHA-256) | HMAC | Digital Signature (RSA) |
|---|---|---|---|
| Data Integrity | Yes | Yes | Yes |
| Authentication | No (Anyone can hash) | Yes (Shared Secret) | Yes (Private Key) |
| Key Type | None | Symmetric (Shared) | Asymmetric (Public/Private) |
| Performance | Very Fast | Fast | Slow |
Code Examples
How to generate a SHA-256 HMAC in popular programming languages:
Node.js
const crypto = require('crypto');
const secret = 'my-secret-key';
const message = 'Hello World';
const hmac = crypto.createHmac('sha256', secret)
.update(message)
.digest('hex');
console.log(hmac);Python
import hmac import hashlib secret = b'my-secret-key' message = b'Hello World' hash = hmac.new(secret, message, hashlib.sha256).hexdigest() print(hash)
Java
import javax.crypto.Mac;
import javax.crypto.spec.SecretKeySpec;
String secret = "my-secret-key";
String message = "Hello World";
Mac sha256_HMAC = Mac.getInstance("HmacSHA256");
SecretKeySpec secret_key = new SecretKeySpec(secret.getBytes(), "HmacSHA256");
sha256_HMAC.init(secret_key);
byte[] hash = sha256_HMAC.doFinal(message.getBytes());PHP
$secret = 'my-secret-key';
$message = 'Hello World';
$hash = hash_hmac('sha256', $message, $secret);
echo $hash;Security Best Practices
- Use Strong KeysYour secret key should be random and at least as long as the hash output length (e.g., 32 bytes for SHA-256).
- Constant-Time ComparisonWhen verifying HMACs on your server, always use constant-time comparison (like `crypto.timingSafeEqual`) to prevent timing attacks.
- Rotate KeysChange your secret keys periodically. Support multiple keys (current and previous) to allow smooth rotation without downtime.
- CanonicalizationEnsure the message is formatted consistently (e.g., sorting JSON keys) before hashing, or the signatures won't match.
Frequently Asked Questions
Is this tool safe to use with real keys?
Yes. This tool is built with client-side JavaScript. Your secret keys and messages strictly stay in your browser's memory and are never transmitted over the network.
What is the difference between SHA-256 and HMAC-SHA256?
SHA-256 is a simple hash function: it takes input and produces a fingerprint. HMAC-SHA256 uses a *secret key* mixed with the input. Only someone with the key can create or verify the HMAC, making it suitable for authentication, whereas a simple hash can be generated by anyone.
Can I use this for JWT signatures?
Yes! JWTs typically use HMAC-SHA256 (HS256). You can verify a JWT signature by pasting the header+payload part as the message and your secret as the key.
Why do I get a different result than other tools?
Check your encoding (Hex vs Base64) and ensure you aren't adding extra spaces or newlines to your input message or key. Even a single invisible character changes the output completely.
Is HMAC quantum secure?
Generally, yes. HMAC constructions based on secure hash functions like SHA-256 are considered resistant to quantum computer attacks, unlike public-key signatures like RSA or ECDSA.