Security

HMAC Generator

Generate and verify keyed message authentication codes with SHA-256, SHA-384 and SHA-512.

HMAC examples

Start from a simple message, webhook payload or hexadecimal input.

Algorithm

Select the hash algorithm used by the HMAC construction.

Message

Enter the message to authenticate and choose how the input should be decoded.

Message encoding

Secret key

Enter the shared secret and choose its input encoding.

Secret encoding

Generate an HMAC

Enter a message and secret key to calculate a keyed message authentication code.

Messages, secrets and signatures are processed locally through the Web Crypto API. BigForgeKit does not upload or store secret keys.

About this tool

What is HMAC Generator?

HMAC Generator creates keyed message authentication codes by combining a message with a shared secret. Generate SHA-256, SHA-384 and SHA-512 signatures in hexadecimal, Base64 and Base64URL formats, or compare an expected signature with the generated result.

Features

Built for fast developer workflows

  • Generate HMAC signatures with SHA-256, SHA-384 and SHA-512.
  • Use text, hexadecimal or Base64 messages.
  • Use text, hexadecimal or Base64 secret keys.
  • Generate hexadecimal output.
  • Generate Base64 and Base64URL output.
  • Verify an expected signature against the generated HMAC.
  • Normalize signature formats before comparison.
  • Detect malformed hexadecimal input.
  • Detect invalid Base64 input.
  • Load webhook and hexadecimal examples.
  • Copy each generated signature.
  • Process messages and secrets locally through the Web Crypto API.

Frequently asked questions

Questions about HMAC Generator

What is an HMAC?

An HMAC is a keyed message authentication code that combines a cryptographic hash function with a shared secret to authenticate message integrity and origin.

What is the difference between a hash and an HMAC?

A regular hash only uses the message. An HMAC also requires a secret key, which allows trusted parties to verify who generated the signature.

Which algorithms are supported?

The tool supports HMAC using SHA-256, SHA-384 and SHA-512.

Can I verify webhook signatures?

Yes. Enter the exact webhook payload and shared secret, then compare the generated signature with the value supplied by the webhook provider.

What is Base64URL?

Base64URL is a URL-safe Base64 variant that replaces plus and slash characters and usually removes trailing padding.

Are secret keys uploaded?

No. Messages, secrets and signatures remain inside your browser and are processed through the Web Crypto API.

Related tools