HMAC Generator

Create HMAC signatures for webhook payloads, API signing examples, and local verification workflows using browser-native crypto.

Last updated: May 28, 2026

Use test secrets or redacted keys. Do not paste production signing secrets into browser tools unless your security policy permits it.

Message

Secret Key

Hash Algorithm

Output Format

HMAC Signature

Generated HMAC appears here.

Client-Side Processing

Input Data Stays on Device

Instant Local Execution

Find this tool useful? Support the project to keep it free!

Buy me a coffee

What is HMAC Generator?

HMAC stands for Hash-based Message Authentication Code. It combines a message with a secret key and a hash function such as SHA-256. The resulting signature proves that the message was created by someone who knows the secret and that the message bytes have not changed.

How to Use HMAC Generator

Paste the message or payload to sign.

Paste the secret key and select text, hex, or Base64 format.

Choose SHA-256 unless your integration requires another algorithm.

Choose hex or Base64 output.

Click Generate HMAC and copy the signature.

Common Use Cases

Generating local webhook signature examples.
Debugging API request signing code.
Comparing expected and actual HMAC-SHA256 values.
Creating documentation fixtures for signed payloads.
Testing whether a secret is interpreted as text, hex, or Base64 bytes.

Example Input and Output

A webhook-style JSON payload signed with a shared secret using HMAC-SHA256.

Message and secret

Message: {"event":"invoice.paid","id":"evt_12345","amount":4999}
Secret: webhook_signing_secret

HMAC-SHA256 hex

781def8a145865b85874db3b663e6317db4a2d8df0cad15877ed741e04059e94

Signature comparison

When comparing signatures in application code, use a constant-time comparison to avoid timing leaks.

Secret handling

Prefer test secrets for online debugging. Production signing secrets should stay inside your controlled systems.

Frequently Asked Questions

Which HMAC algorithm should I use?

HMAC-SHA256 is the best default for modern API and webhook signatures unless your provider requires SHA-1, SHA-384, or SHA-512.

Is HMAC encryption?

No. HMAC authenticates a message but does not hide it. Anyone can still read the message unless it is encrypted separately.

Why do text, hex, and Base64 secrets produce different signatures?

HMAC signs bytes. The same visible string can represent different byte sequences depending on whether it is treated as literal text, hex, or Base64.

Does this send my secret to a server?

No. HMAC signing uses the browser Web Crypto API and runs on your device.

Related Tools

Checksum Calculator

Calculate CRC-32, Adler-32, MD5, SHA-1, SHA-256, SHA-384, and SHA-512 checksums from text, hex, or Base64 input.

Encryption Decryption

Encrypt and decrypt text locally with password-based AES-GCM encryption and a portable JSON envelope.

SHA Hash Generator

Generate SHA-1, SHA-256, SHA-384, and SHA-512 hashes from text instantly in your browser.

JWT Decoder

Decode and inspect JSON Web Tokens (JWT) without validation.

Webhook Tester

Receive, inspect, and debug incoming webhooks in real-time — see headers, body, query params, and method for any HTTP request sent to your unique endpoint.

Base64 Encoder/Decoder

Encode text to Base64 or decode Base64 to plain text — with URL-safe mode, auto-detect, and size stats.