HMAC Generator (SHA-1, SHA-256, SHA-512)

Compute an HMAC from a message and secret key using SHA-1/256/384/512, as hex or Base64.

Updated: June 26, 2026

Message Secret key

Hash algorithm

HMAC digest

What is an HMAC?

HMAC (Hash-based Message Authentication Code) combines a cryptographic hash function with a secret key to produce a tag that proves two things at once: the message hasn't been altered (integrity) and it was produced by someone who knows the key (authenticity). Unlike a plain hash, an attacker who can't see the key cannot forge a valid HMAC for a modified message.

How it differs from a plain hash

A bare hash like SHA-256(message) protects against accidental corruption, but anyone can recompute it, so it proves nothing about who sent the data. HMAC mixes the secret key into the computation (HMAC(key, message)), so only parties sharing the key can produce or verify the tag. That's why HMAC — not a plain hash — is the right primitive for authenticating messages between systems.

Where HMAC is used

Webhook signatures. Providers like Stripe, GitHub and Slack sign each webhook with HMAC-SHA256 so your endpoint can confirm the request really came from them. You recompute the HMAC over the raw body with your signing secret and compare.
API request signing. AWS Signature v4 and many other APIs sign requests with HMAC to prevent tampering and replay.
JWT (HS256). The HS256 signature on a JWT is literally an HMAC-SHA256 over the header and payload — see our JWT decoder.

Hex vs Base64 output

The raw HMAC is a sequence of bytes; you encode it for transport. Hex is the most common in headers and logs (e.g. GitHub's X-Hub-Signature-256), while Base64 is more compact and used by some APIs. This tool gives you both — match whatever format the service you're integrating with expects.

Verifying safely

When you check an incoming signature, compare using a constant-time comparison on the server, not a normal string equals — a naive comparison can leak timing information that helps an attacker forge a tag. Also always compute the HMAC over the exact raw bytes the sender signed; re-serializing JSON before hashing is a classic cause of mismatches.

Key strength

HMAC is only as strong as its key. Use a long, random secret — a value from our Base64-encoded random bytes or a dedicated key generator is far better than a human-chosen password. Choose SHA-256 or stronger; SHA-1 is acceptable for HMAC compatibility but SHA-256 is the modern default.

Frequently asked questions

What's the difference between a hash and an HMAC?

A plain hash only proves integrity and can be recomputed by anyone. An HMAC mixes in a secret key, so it also proves authenticity — only someone with the key can produce or verify it. Use HMAC to authenticate messages.

How do I verify a webhook signature?

Compute an HMAC over the exact raw request body using your signing secret and the algorithm the provider specifies (usually SHA-256), then compare it to the signature header. Use a constant-time comparison on your server.

Should I output hex or Base64?

Match the service you're integrating with. Many webhook signatures (e.g. GitHub) use hex; some APIs use Base64. This tool produces both from the same message and key.

Which hash algorithm should I pick for HMAC?

SHA-256 is the modern default. SHA-512 is also strong and faster on 64-bit systems for large inputs. HMAC-SHA1 is still cryptographically acceptable for compatibility but avoid it for new designs.

Webhook & API security tooling

Teams handling signed webhooks and API requests at scale often rely on:

Webhook gateway / event platform Receive, verify and retry signed webhooks reliably without writing signature checks for every provider.
Secrets manager Generate, rotate and distribute strong signing keys instead of hard-coding shared secrets.