HMAC Generator
Generate HMAC-SHA256, HMAC-SHA512, HMAC-MD5, KMAC, and other keyed-hash authentication codes
What is HMAC?
HMAC (Hash-based Message Authentication Code) is a cryptographic function that combines a hash algorithm with a secret key to produce a fixed-length authentication code. Unlike plain hashing, HMAC cannot be computed without the secret key, making it suitable for verifying both data integrity and authenticity.
HMAC is widely used in API authentication (HMAC-SHA256 is the algorithm behind AWS Signature Version 4 and many REST API schemes), webhook verification, and secure cookie signing. This tool supports HMAC-SHA256, HMAC-SHA512, HMAC-SHA1, HMAC-MD5, KMAC, and more.
How to use HMAC Generator
Enter your message
Type or paste the message you want to authenticate.
Enter your secret key
Enter the shared secret key used to compute the HMAC.
Select the algorithm
Choose from HMAC-SHA256, HMAC-SHA512, HMAC-SHA1, HMAC-MD5, or other supported algorithms.
Copy the HMAC output
The HMAC value appears instantly. Click Copy to copy it to your clipboard in hex or Base64 format.
Frequently asked questions
What is HMAC used for?
HMAC is used to sign API requests (AWS, Stripe, and Shopify all use HMAC-SHA256), verify webhook payloads, sign JWT tokens, and authenticate messages between systems that share a secret key.
What is the difference between HMAC and a plain hash?
A plain hash (SHA-256, MD5) is computed from the data alone — anyone can compute it. HMAC requires a secret key in addition to the data, so only parties that know the key can generate or verify the code.
Which HMAC algorithm should I use?
HMAC-SHA256 is the current standard for new applications. HMAC-SHA512 provides additional security margin. HMAC-SHA1 and HMAC-MD5 should only be used for legacy system compatibility.
Does my key get sent to a server?
No. All HMAC computation runs in your browser. Your message and secret key are never transmitted over the network.