Is my secret key safe?

Yes. Everything runs in your browser. The secret key is never sent to any server.

What is the difference between hex and Base64 output?

Both encode the same HMAC bytes. Hex uses 0-9 and a-f characters (longer). Base64 is shorter and commonly used in HTTP headers. Base64url replaces + and / with - and _ for safe URL use.

Why is HMAC better than signing with a private key?

HMAC is faster and simpler for symmetric scenarios where both parties share the same secret. Use asymmetric signing (RSA, Ed25519) when the verifier must not know the signing key.

HMAC Generator

Runs in browser

Generate and verify HMAC signatures. SHA-256, SHA-512, SHA-1, SHA-384.

Generate HMAC signatures with SHA-256, SHA-512, SHA-1, and SHA-384. Output as hex, Base64, or Base64url. Verify HMACs. Everything runs in your browser using the Web Crypto API.

Message

Secret Key

Algorithm

Output Format

HMAC-SHA-256 (hex)

Result will appear here…

Verify HMAC

Paste an HMAC to compare against the generated result.

Computed in your browser using the Web Crypto API. The message and secret key never leave your device.

🔒 Runs in your browser · No uploads · Your data never leaves your device

How to use

Enter message and secret key
Paste the message and secret key. The HMAC is computed automatically as you type.
Choose algorithm and format
Select SHA-256, SHA-512, SHA-1, or SHA-384. Choose hex, Base64, or Base64url output.
Verify an existing HMAC
Paste an HMAC into the Verify section to check if it matches your message and key.

Common use cases

Verifying webhook signatures — Compute HMAC-SHA256 of a webhook payload using the provider's secret to confirm the signature in the X-Hub-Signature or Stripe-Signature header.
Generating API request signatures — Sign API request bodies or query strings with a shared secret key to authenticate API calls to services that use HMAC-based auth.

Examples

Verify a webhook signature
Compute HMAC-SHA256 of a Stripe-like payload.
Input
```
Message: payload body | Key: webhook_secret
```
Output
```
3ecb2b2c98f2...
```

Frequently asked questions

Is my secret key safe?: Yes. Everything runs in your browser. The secret key is never sent to any server.
What is the difference between hex and Base64 output?: Both encode the same HMAC bytes. Hex uses 0-9 and a-f characters (longer). Base64 is shorter and commonly used in HTTP headers. Base64url replaces + and / with - and _ for safe URL use.
Why is HMAC better than signing with a private key?: HMAC is faster and simpler for symmetric scenarios where both parties share the same secret. Use asymmetric signing (RSA, Ed25519) when the verifier must not know the signing key.

Key concepts

HMAC: Hash-based Message Authentication Code — a MAC computed using a cryptographic hash function and a secret key, proving both data integrity and authenticity.
Hex encoding: A way to represent binary data as a string of hexadecimal characters (0–9, a–f). HMAC output is typically expressed in hex or Base64.

You might find these useful too.

More hashing tools

TOTP / OTP Generator
Generate RFC 6238 TOTP codes from a base32 secret with a live countdown.
Open

HMAC Generator tool

How to use

Enter message and secret key

Choose algorithm and format

Verify an existing HMAC

Common use cases

Examples

Verify a webhook signature

Frequently asked questions

Key concepts

Related tools

More hashing tools

Related Guides