Skip to main content
Utilavo

HMAC Generator

Generate HMAC-SHA256 and HMAC-SHA512 authentication codes to sign API requests and verify webhooks

How to use HMAC Generator

  1. Enter your message

    Type or paste the message you want to authenticate.

  2. Enter your secret key

    Enter the shared secret key used to compute the HMAC.

  3. Select the algorithm

    Choose from HMAC-SHA256, HMAC-SHA512, HMAC-SHA1, HMAC-MD5, or other supported algorithms.

  4. Copy the HMAC output

    The HMAC value appears instantly. Click Copy to copy it to your clipboard in hex or Base64 format.

Input mode

HMAC-SHA256 result

What is HMAC?

HMAC (Hash-based Message Authentication Code) is a cryptographic function that combines a hash algorithm with a secret key to produce a fixed-length authentication code. Unlike plain hashing, HMAC cannot be computed without the secret key, making it suitable for verifying both data integrity and authenticity.

HMAC is widely used in API authentication (HMAC-SHA256 is the algorithm behind AWS Signature Version 4 and many REST API schemes), webhook verification, and secure cookie signing. This tool supports HMAC-SHA256, HMAC-SHA512, HMAC-SHA1, HMAC-MD5, KMAC, and more.

In practice, HMAC is the backbone of request authentication for major platforms. AWS Signature Version 4 computes HMAC-SHA256 over a canonical request string to authenticate every AWS API call. Stripe signs webhook events with HMAC-SHA256 so your server can verify that incoming payloads genuinely come from Stripe, not an attacker. GitHub, Shopify, Slack, and Twilio all use HMAC-based webhook signatures. OAuth 1.0a uses HMAC-SHA1 for request signing. JWT tokens (when using the HS256 algorithm) sign the header and payload with HMAC-SHA256 using a shared secret.

The security of HMAC depends on the secrecy and strength of the key, not the message. The key should be at least as long as the hash output (32 bytes for HMAC-SHA256, 64 bytes for HMAC-SHA512) and generated from a cryptographically secure random source. Unlike plain hashing, HMAC is resistant to length-extension attacks — even if an attacker knows HMAC(key, message), they cannot compute HMAC(key, message || extra) without the key. Computation runs client-side so the key stays on your device (see our processing model for the full handling description). For generating strong random keys, use the Random String Generator. For deeper background on HMAC and other authentication mechanisms, see our encryption algorithms guide.

Frequently asked questions

What is HMAC used for?

HMAC is used to sign API requests (AWS, Stripe, and Shopify all use HMAC-SHA256), verify webhook payloads, sign JWT tokens, and authenticate messages between systems that share a secret key.

What is the difference between HMAC and a plain hash?

A plain hash (SHA-256, MD5) is computed from the data alone — anyone can compute it. HMAC requires a secret key in addition to the data, so only parties that know the key can generate or verify the code.

Which HMAC algorithm should I use?

HMAC-SHA256 is the current standard for new applications. HMAC-SHA512 provides additional security margin. HMAC-SHA1 and HMAC-MD5 should only be used for legacy system compatibility.

How do I verify a Stripe or GitHub webhook signature?

Both Stripe and GitHub sign webhook payloads with HMAC-SHA256. Paste the raw request body as the message, enter the webhook signing secret as the key, select HMAC-SHA256, and compare the hex output against the signature header sent with the request.

What key length should I use for HMAC?

The key should be at least as long as the hash output: 32 bytes (256 bits) for HMAC-SHA256, 64 bytes (512 bits) for HMAC-SHA512. Keys shorter than the hash output are padded internally but provide less security. Keys longer than the block size (64 bytes for SHA-256, 128 bytes for SHA-512) are first hashed, so excessively long keys do not add security. Use the Random String Generator to create cryptographically strong keys of the appropriate length.

Can I use HMAC for password hashing?

HMAC alone is not suitable for password hashing because it is designed to be fast, and fast hashing allows attackers to try billions of guesses per second. Password hashing requires intentionally slow algorithms like bcrypt, scrypt, or Argon2 that include a configurable work factor. HMAC is designed for message authentication between parties that share a secret key, not for storing passwords. Use the Hash Generator for general hashing and dedicated password hashing libraries for credential storage.

Related tools

Hash Generator

Generate MD5, SHA-256, SHA-512, BLAKE3, and 25+ cryptographic hashes to verify file integrity

Ab64

Base64 Encoder

Encode and decode Base64 strings and files for APIs, emails, and data URIs

Encrypt / Decrypt

Encrypt and decrypt data with AES, DES, Triple DES, and RC4 symmetric ciphers

Random String Generator

Generate secure random passwords, API keys, and tokens with cryptographic randomness

Protect PDF

Password-protect and encrypt a PDF document

Related guides

Developer10 min read

Cryptographic Hash Functions: SHA-256, MD5, and Beyond

An in-depth guide to hash functions covering SHA-256, SHA-3, MD5, BLAKE3, and their applications in file integrity, passwords, digital signatures, and blockchain.