Skip to content
Security · Hashing

HMAC Generator

Compute HMAC-SHA1, HMAC-SHA256, HMAC-SHA384, and HMAC-SHA512 message authentication codes using a secret key. Supports plain text, hex, and Base64 key encodings; outputs in hex, Base64, or URL-safe Base64. Verify a received HMAC on the Verify tab. Runs entirely in your browser; nothing is uploaded.

In-browser only Web Crypto API SHA-1 · 256 · 384 · 512
0 bytes
0 bytes
Key encoding
Algorithm
Output encoding
HMAC resultHMAC-SHA256 · 256 bits
Enter a message and secret key to generate an HMAC.
All computation runs in your browser — nothing is uploaded.

Guide

How to Use

  1. 1
    Enter your message

    Type or paste the message you want to authenticate into the Message field. The byte count updates as you type.

  2. 2
    Enter your secret key

    Type or paste your secret key into the Secret key field. Use the key encoding selector to specify whether the key is plain text, hex, or Base64.

  3. 3
    Select an algorithm and output encoding

    Choose one of the four supported algorithms: HMAC-SHA1, HMAC-SHA256, HMAC-SHA384, or HMAC-SHA512. Then pick your output format: hex, Base64, or URL-safe Base64.

  4. 4
    Read the HMAC result

    The HMAC is computed in a background Web Worker and displayed instantly. Copy it, download it as a .txt file, or switch to the Verify tab to compare it with an expected value.

  5. 5
    Verify an HMAC

    Switch to the Verify tab and paste the expected HMAC into the Expected HMAC field. A green indicator appears if it matches the computed HMAC, or a red indicator if it does not.

Reference

HMAC Algorithms Compared

HMAC Algorithms Compared
AlgorithmOutput sizeInner hashBest for
HMAC-SHA1160-bit (20 bytes)SHA-1Legacy systems only — avoid for new work
HMAC-SHA256256-bit (32 bytes)SHA-256General-purpose API authentication, JWT
HMAC-SHA384384-bit (48 bytes)SHA-384Higher-security signing, TLS context
HMAC-SHA512512-bit (64 bytes)SHA-512High-assurance message authentication

Frequently Asked Questions

What is an HMAC?
HMAC (Hash-based Message Authentication Code) is a type of message authentication code that combines a cryptographic hash function with a secret key. It is used to verify both the integrity and authenticity of a message — that the message has not been tampered with and that it came from someone who knows the shared secret.
What is the difference between HMAC-SHA256 and HMAC-SHA512?
Both are secure for modern use. HMAC-SHA256 produces a 256-bit (32-byte) signature and is the most widely used choice for API authentication and JWT signing. HMAC-SHA512 produces a 512-bit (64-byte) signature and offers a larger security margin, at the cost of a longer output string. For most applications, HMAC-SHA256 is the right choice.
Is HMAC-SHA1 still safe?
HMAC-SHA1 is currently not broken in the same way as raw SHA-1. However, it is considered legacy and should not be used for new integrations. Use HMAC-SHA256 or stronger instead. Some older APIs (such as OAuth 1.0) still require HMAC-SHA1 for backward compatibility.
What is the difference between hex and Base64 output?
Both represent the same binary data in different text encodings. Hex uses two lowercase characters per byte (0–9, a–f) and is easy to read. Base64 uses about 1.33 characters per byte and is more compact. URL-safe Base64 replaces + with - and / with _, and removes padding, making it safe to embed in URLs and HTTP headers.
What key encodings are supported?
Three key encodings are available: Plain text encodes the key as UTF-8 bytes. Hex expects the key as a lowercase or uppercase hex string (each pair of characters is one byte; must have an even number of characters). Base64 expects a standard Base64-encoded key (padding is optional).
Does this tool upload my key or message?
No. All computation happens in a Web Worker running entirely in your browser. Your key and message never leave your device — you can open the browser Network tab and confirm there are no outgoing requests carrying your data.
Why does my HMAC differ from what my server computed?
The most common causes are: the message has a trailing newline on the server (check with printf vs echo), the key is in a different encoding (hex vs plain text vs Base64), or a different algorithm was used. Verify all three settings match what your server expects.
Can I use URL-safe Base64 output with JWT?
JWT uses URL-safe Base64 (without padding) for all three parts of the token, including the signature. So yes — if you need to match a JWT signature, select URL-safe Base64 output.