HMAC Generator
Generate HMAC authentication codes with SHA-256, SHA-384, SHA-512, or SHA-1. All computation happens in your browser.
HMAC Result
Algorithm
—
Output Size
—
Key Length
—
Time
—
Enter a message and secret key, then click Generate HMAC
Frequently Asked Questions
What is HMAC?
HMAC (Hash-based Message Authentication Code) is a mechanism for verifying both the integrity and authenticity of a message. It combines a cryptographic hash function (like SHA-256) with a secret key to produce a fixed-size authentication tag.
What is HMAC used for?
HMAC is used for API authentication (AWS Signature V4, Stripe webhooks), JWT token signing, webhook payload verification, message integrity checking, and key derivation in protocols like TLS and IPsec.
Which HMAC algorithm should I use?
HMAC-SHA256 is the most widely recommended. It provides 256-bit security and is used by AWS, Stripe, GitHub, and most modern APIs. Use HMAC-SHA512 when you need extra security margin. Avoid HMAC-SHA1 for new applications.
Is HMAC-SHA1 still secure?
HMAC-SHA1 remains practically secure for message authentication, even though SHA-1 alone has collision vulnerabilities. The HMAC construction protects against collision attacks. However, HMAC-SHA256 is recommended for new implementations.
How is HMAC different from a plain hash?
A plain hash (like SHA-256) only verifies integrity — anyone can compute it. HMAC requires a secret key, so only parties who know the key can generate or verify the tag. This provides both integrity and authentication.
Is my data secure?
Yes. All HMAC computation happens entirely in your browser using the Web Crypto API. Your message and secret key are never sent to any server.