HMAC Generator
Generate HMAC (Hash-based Message Authentication Code) using SHA-256, SHA-384, SHA-512, or SHA-1 algorithms with a secret key
Input
Output
Readme
What is HMAC?
HMAC (Hash-based Message Authentication Code) is a cryptographic technique that combines a secret key with a hash function to produce a unique authentication code. Unlike simple hashing, HMAC ensures both data integrity and authenticity—verifying that a message hasn't been tampered with and confirming the sender's identity.
HMAC works by processing the message through a hash function (like SHA-256) twice, mixed with the secret key in a specific way. This double-hashing approach makes it resistant to length extension attacks that affect plain hash functions.
How does HMAC work?
The HMAC algorithm follows these steps:
- Key preparation: If the secret key is longer than the hash block size, it's hashed first. If shorter, it's padded with zeros.
- Inner hash: The key is XORed with an inner padding constant (ipad), then concatenated with the message and hashed.
- Outer hash: The key is XORed with an outer padding constant (opad), then concatenated with the inner hash result and hashed again.
The formula is: HMAC(K, m) = H((K ⊕ opad) || H((K ⊕ ipad) || m))
This construction ensures that even if an attacker knows the hash of a message, they cannot forge a valid HMAC without knowing the secret key.
Why use HMAC instead of regular hashing?
| Feature | Regular Hash | HMAC |
|---|---|---|
| Data integrity | ✓ | ✓ |
| Authentication | ✗ | ✓ |
| Requires secret key | ✗ | ✓ |
| Protection against length extension | ✗ | ✓ |
| Suitable for API authentication | ✗ | ✓ |
Regular hashes (MD5, SHA-256) only verify that data hasn't changed. HMAC additionally proves that the message came from someone who knows the secret key, making it essential for secure communications.
Understanding hash algorithms
| Algorithm | Output Size | Security Level | Performance | Recommendation |
|---|---|---|---|---|
| SHA-1 | 160 bits (40 hex chars) | Weak | Fastest | Legacy systems only |
| SHA-256 | 256 bits (64 hex chars) | Strong | Fast | Recommended default |
| SHA-384 | 384 bits (96 hex chars) | Very Strong | Moderate | High-security needs |
| SHA-512 | 512 bits (128 hex chars) | Very Strong | Moderate | Maximum security |
SHA-256 offers the best balance of security and performance for most applications. SHA-1 is included for compatibility with legacy systems but should be avoided for new implementations due to known vulnerabilities.
Output format comparison
Hexadecimal: Uses characters 0-9 and a-f. Produces a longer string but is easier to read and debug. Common in APIs and logging.
Base64: Uses characters A-Z, a-z, 0-9, +, and /. Produces a shorter string (approximately 33% shorter than hex). Common in JWT tokens and compact data transmission.
Example for the same HMAC:
- Hex:
5d5d139563c95b5967b9bd9a8c9b8c8d8e8f9a9b9c9d9e9f0a0b0c0d0e0f1011 - Base64:
XV0TlWPJW1lnub2ajJuMjY6Pmpm9nZ6fCgsMDQ4PEQ==
Tool description
This HMAC Generator creates cryptographic authentication codes using the Web Crypto API for secure, client-side computation. Enter your message and secret key to instantly generate HMAC signatures with your choice of hash algorithm (SHA-1, SHA-256, SHA-384, or SHA-512) and output format (hexadecimal or base64).
All processing happens entirely in your browser—your secret keys and messages are never transmitted to any server, ensuring complete privacy and security.
Examples
Example 1: API request signing
- Message:
GET /api/users?timestamp=1704067200 - Secret Key:
my-api-secret-key-2024 - Algorithm: SHA-256
- Output (Hex):
d090e24b18ee077bdeceacab17fb15ff8cf7868147b302dbcb1b11630465e817
Features
- Multiple hash algorithms: Support for SHA-1, SHA-256, SHA-384, and SHA-512 with visual indicators showing bit strength
- Dual output formats: Generate results in hexadecimal or Base64 encoding based on your requirements
- Real-time generation: HMAC updates instantly as you type, with no button clicks required
- Client-side security: All cryptographic operations performed locally using the Web Crypto API—nothing sent to servers
- Password-protected input: Secret key field masked by default to prevent shoulder surfing
Use cases
- API authentication: Sign API requests with HMAC to prove request authenticity and prevent tampering (used by AWS, Stripe, and many other services)
- Webhook verification: Validate that incoming webhooks genuinely originated from the expected service (GitHub, Shopify, Twilio)
- Message integrity: Ensure messages transmitted between systems haven't been modified in transit
- Session token generation: Create secure session identifiers that can be verified without database lookups
- Digital signatures for documents: Generate verifiable signatures for contracts, agreements, or sensitive documents shared between parties
Security best practices
- Key length: Use secret keys at least as long as the hash output (32 bytes for SHA-256, 64 bytes for SHA-512)
- Key randomness: Generate keys using cryptographically secure random number generators, not passwords
- Key storage: Never hardcode keys in source code; use environment variables or secure key management systems
- Algorithm selection: Use SHA-256 or stronger; avoid SHA-1 for new implementations
- Constant-time comparison: When verifying HMACs programmatically, use constant-time comparison functions to prevent timing attacks
Common HMAC implementations
JavaScript (Node.js):
const crypto = require("crypto");
const hmac = crypto
.createHmac("sha256", secretKey)
.update(message)
.digest("hex");Python:
import hmac
import hashlib
signature = hmac.new(secret_key.encode(), message.encode(), hashlib.sha256).hexdigest()PHP:
$signature = hash_hmac('sha256', $message, $secretKey);Related standards and specifications
- RFC 2104: HMAC: Keyed-Hashing for Message Authentication
- FIPS 198-1: The Keyed-Hash Message Authentication Code (HMAC)
- RFC 4868: Using HMAC-SHA-256, HMAC-SHA-384, and HMAC-SHA-512 with IPsec