DevToys Web Pro

free web developer tools

Blog
Rate us:
Try browser extension:

HMAC Generator

Input

Configuration

  • AlgorithmSelect the HMAC hash algorithm
  • Key FormatHow your secret key is encoded
  • Output FormatHow to display the generated HMAC

HMAC Output

    • Technical details

    How the HMAC Generator Works

    What the Tool Does

    This HMAC generator creates keyed hashes (HMAC signatures) for a message using a shared secret key. It supports HMAC SHA-1, HMAC SHA-256, HMAC SHA-384, and HMAC SHA-512, which are commonly used for API authentication, webhook verification, and message integrity checks. You can choose how the key is encoded (text, hex, or Base64) and output the HMAC in hex or Base64. All calculations run locally in your browser using the Web Crypto API, so your secret never leaves your device.

    Common Developer Use Cases

    Developers use an online HMAC calculator to verify webhook signatures from services like Stripe, GitHub, or Slack, generate API request signatures, and debug JWT HMAC signing workflows. When integrating third-party APIs that require HMAC authentication, this tool helps you confirm the expected signature and compare it with server output. It also helps validate HMAC hashes during testing, build reproducible examples, and troubleshoot encoding mismatches between clients and servers.

    Data Formats, Types, or Variants

    The HMAC tool supports SHA-1, SHA-256, SHA-384, and SHA-512 algorithms, with outputs in hex or Base64. Secret keys can be provided as plain text (UTF-8), hexadecimal, or Base64-encoded bytes. Many integrations publish HMAC signatures in hex, while some APIs expect Base64; this generator helps you match those formats. Be sure to choose the correct key encoding to avoid mismatched signatures.

    Common Pitfalls and Edge Cases

    HMAC signatures are extremely sensitive to input details. Any difference in message encoding, whitespace, or line endings will change the result. Ensure you use the exact payload and the correct key format (text vs hex vs Base64). SHA-1 is considered weaker and should only be used for legacy integrations when required. If your platform uses Base64URL rather than Base64, you may need to convert the output for comparison.

    When to Use This Tool vs Code

    Use this HMAC generator for quick checks, debugging webhook verification, and validating example signatures during development. For production systems, generate HMAC signatures in code using your platform's crypto library so you can ensure consistent encoding, secure key handling, and proper timing-safe comparisons. This tool is ideal for development, but your application should compute HMACs programmatically in production.