How to Generate HMAC

Generate HMAC signatures using SHA-256, SHA-512, MD5, and more. Free online HMAC generator for API authentication, webhook verification, and data integrity.

Open HMAC Generator →

Step-by-Step Guide

1

Enter your message

Paste or type the message you want to sign into the input field. This is the data that will be authenticated — it could be an API request body, a webhook payload, or any string you need to verify integrity for. The HMAC will be computed over the exact bytes of this input.

2

Choose the hash algorithm

Select your hash algorithm from the dropdown. SHA-256 is the most widely used and recommended for most applications — it provides a good balance of security and performance. SHA-512 offers stronger security for high-sensitivity use cases, while MD5 and SHA-1 are available for legacy system compatibility but are not recommended for new projects.

3

Enter the secret key

Type or paste your secret key. This shared secret is what makes HMAC secure — only parties who know the key can generate or verify the signature. Use a strong, random key of at least 32 characters. Never expose this key in client-side code, URLs, or public repositories.

4

Copy the HMAC output

The tool instantly generates your HMAC signature displayed as a hexadecimal string. Copy it using the copy button and use it in your Authorization header, webhook verification logic, or wherever your application requires it. You can toggle between hex and Base64 output formats depending on your API requirements.

Try It Now — Free

No signup, no download. Runs entirely in your browser.

Open HMAC Generator

Frequently Asked Questions

What is HMAC and how does it work?
HMAC (Hash-based Message Authentication Code) combines a cryptographic hash function with a secret key to produce a signature that verifies both data integrity and authenticity. Unlike a plain hash, HMAC requires the secret key to generate or verify — so even if an attacker can see the message, they cannot forge a valid HMAC without knowing the key.
Should I use HMAC-SHA256 or HMAC-SHA512?
HMAC-SHA256 is the standard choice for most applications — it is fast, secure, and universally supported by APIs and libraries. HMAC-SHA512 produces a longer signature and can be slightly faster on 64-bit systems, but the security difference is negligible for practical purposes. Use SHA-512 if your API or compliance requirements specifically mandate it.
What are common use cases for HMAC?
HMAC is widely used for API authentication (signing requests so the server can verify the sender), webhook verification (GitHub, Stripe, and Shopify all sign webhook payloads with HMAC), and data integrity checks (ensuring a message has not been tampered with in transit). It is also used in JWT tokens and session management.
Related Reference

JavaScript Cheat Sheet

View Cheat Sheet →

More Guides

How to Format JSON Online How to Encode & Decode Base64 How to Generate UUID Online How to Test an API Online