HMAC Signature Generator
Generate Hash-based Message Authentication Codes using SHA-256, SHA-512, and other algorithms with a secret key.
How to Use the HMAC Generator
- Enter or paste the message you want to authenticate.
- Enter the secret key used for HMAC generation.
- Select the hashing algorithm (SHA-256, SHA-512, SHA-1, or MD5).
- The HMAC is computed instantly in your browser.
- Copy the generated HMAC value for use in your API request or webhook verification.
What is HMAC (Hash-based Message Authentication Code)?
HMAC is a specific construction for creating a message authentication code using a cryptographic hash function combined with a secret key. Defined by RFC 2104, HMAC provides both data integrity and authentication. Unlike a plain hash, an HMAC cannot be computed or verified without the secret key, ensuring that only parties who possess the key can generate or validate the code. HMAC is extensively used in API security, webhook verification, and protocol authentication. When you sign API requests with HMAC-SHA256 (as used by AWS, Stripe, GitHub webhooks, and many others), the server can verify that the request was sent by someone who knows the secret key and that the message has not been tampered with in transit. HMAC is also used in TOTP (time-based one-time passwords) for two-factor authentication. The security of HMAC depends on the secrecy and strength of the key. Use a key that is at least as long as the hash output (32 bytes for SHA-256) and generated from a cryptographically secure random source. HMAC is resistant to length-extension attacks that affect plain hash functions like SHA-256, which is why HMAC-SHA256 is preferred over naive constructions like SHA256(key + message) for authentication. Always use constant-time comparison when verifying HMAC values to prevent timing attacks.
Frequently Asked Questions
A regular hash only ensures data integrity. Anyone can compute the hash of a message. HMAC incorporates a secret key, so only parties who know the key can generate or verify the code. This provides both integrity (the message was not altered) and authentication (the message came from someone with the key).
HMAC-SHA256 is the most widely recommended choice, offering a strong balance of security and performance. HMAC-SHA512 provides a larger output and may be faster on 64-bit systems. Avoid HMAC-MD5 and HMAC-SHA1 for new implementations, as the underlying hash functions have known weaknesses, though HMAC construction mitigates many of them.
Services like GitHub, Stripe, and Slack sign webhook payloads using HMAC with a shared secret. When your server receives a webhook, you compute the HMAC of the request body using your secret key and compare it to the signature in the request header. If they match, the webhook is authentic and untampered. Always use constant-time comparison for this check.