HMAC Generator (SHA-256 / SHA-384 / SHA-512)
Free online HMAC generator. Enter a secret key and a message to compute an HMAC-SHA256, HMAC-SHA384 or HMAC-SHA512 authentication code using the browser's Web Crypto API. Output in hex or Base64. Everything runs locally — your key and message never leave your device.
HMAC Generator
Compute an HMAC (Hash-based Message Authentication Code) from a secret key and a message, right in your browser. HMAC proves two things at once: that a message came from someone who holds the shared secret key, and that it hasn’t been altered in transit.
How HMAC differs from a plain hash
A plain hash like SHA-256 can be computed by anyone, so it only detects accidental corruption — an attacker who changes the message can simply recompute the hash. HMAC mixes a secret key into the hashing process, so only parties who know the key can produce or verify a valid code. It’s the standard building block for API request signing, webhook verification, and session tokens.
Using the tool
- Enter the secret key shared between sender and receiver.
- Enter the message to authenticate.
- Pick a hash — HMAC-SHA256 is the common default; SHA-384 and SHA-512 offer larger outputs.
- Choose hex or Base64 output to match what your API expects.
Both key and message are treated as UTF-8 text.
Verifying instead of generating
To verify a received message, compute the HMAC over it with the same key and compare against the code you were sent. In production code, always compare using a constant-time comparison to avoid timing side channels.
Privacy
The key and message never leave your browser — the HMAC is computed locally with the Web Crypto API.
References
- RFC 2104, HMAC: Keyed-Hashing for Message Authentication, IETF.
- RFC 4231, HMAC-SHA Identifiers and Test Vectors.