The HMAC Generator computes a keyed hash message authentication code from your text and a secret key, using your choice of MD5, SHA-256 or SHA-512. Unlike a plain hash, an HMAC mixes in a secret so that only someone who knows the key can produce or verify the signature. This is the standard technique for authenticating API requests, signing webhooks and proving that a message has not been altered by anyone without the key.
You supply the message in the input box and the secret key as an option, then pick the underlying algorithm and whether you want the result as hexadecimal or base64. The tool follows the standard HMAC construction exactly, so the signatures it produces match those generated by server-side libraries in Node.js, Python, PHP, Java and other languages, letting you test and debug integrations with confidence.
Because the computation runs entirely in your browser with pure JavaScript, both your message and your secret key stay on your device and are never uploaded. That is essential when working with real signing keys. The result is deterministic, so the same message, key, algorithm and encoding always produce the same signature, making it easy to compare against what your backend expects.
Features
- Implements the standard HMAC construction so signatures match server-side libraries across languages.
- Supports MD5, SHA-256 and SHA-512 as the underlying hash so you can match whatever your API requires.
- Outputs the signature as lowercase hexadecimal or base64, covering the two most common encodings.
- Keeps both the message and the secret key entirely local, never transmitting either to any server.
- Encodes the message and key as UTF-8, matching how most backends compute HMAC signatures.
- Reports the chosen algorithm, encoding and digest length so you can confirm the exact configuration.
- Runs completely offline with no sign-up and no limits, ideal for testing and debugging integrations.
How to use HMAC Generator
- Paste or type the message you want to sign into the input box.
- Enter your secret key in the key option; it is required to compute the HMAC.
- Choose the hash algorithm, selecting MD5, SHA-256 or SHA-512 to match your target system.
- Pick hexadecimal or base64 output depending on the format your API or library expects.
- Read the resulting signature, then copy it or download it to compare against your backend value.
Benefits
- API developers reproduce the exact signature their service expects to debug authentication failures fast.
- Integrators verify incoming webhook signatures by recomputing the HMAC from the payload and shared secret.
- Security engineers confirm that client and server agree on algorithm, encoding and key handling.
- QA teams generate known-good signatures for tests without embedding a signing routine in the test harness.
- Developers switch between hex and base64 instantly to match differing library defaults across platforms.
- Everyone benefits from local computation, since real secret keys and messages never leave the browser.
An HMAC answers a question a plain hash cannot: not only whether the message changed, but whether it was produced by someone holding the secret key. Because the key is folded into the computation, an attacker who can see the message and its signature still cannot forge a valid signature for a different message without knowing the key. This is why HMAC underpins so many API authentication and webhook verification schemes.
Choosing the algorithm and encoding to match your counterpart is the key to interoperability. Many services standardise on HMAC-SHA256 with hexadecimal output, but some use base64, and older systems occasionally use HMAC-MD5. If your computed signature does not match, the usual culprits are a mismatched encoding, a different algorithm, or a key or message that includes trailing whitespace or a different character encoding on one side.
Since both the message and the secret key are processed locally, this tool is safe to use with production signing keys for debugging, but treat the key as sensitive and clear it when you are done on a shared machine. For plain content fingerprinting where no shared secret is involved, use the Hash Generator or the dedicated MD5 and SHA-256 generators instead, and reserve HMAC for cases that require authentication with a key.