HMAC Generator Online - Free, No Sign-Up
Overview
HMAC (Hash-based Message Authentication Code) verifies both the integrity and origin of a message using a shared secret. It is the signing mechanism behind JWT HS256/HS384/HS512, Stripe and GitHub webhook signatures, and AWS SigV4 request signing. Paste your message and secret, pick the algorithm, and the tool computes the HMAC using the browser's SubtleCrypto API.
How to Use This Tool
Enter the message in the first field and the secret key in the second. Select the algorithm (HMAC-SHA1, HMAC-SHA256, HMAC-SHA384, or HMAC-SHA512). The hex digest appears immediately. The output matches Python's hmac.new(key.encode(), message.encode(), hashlib.sha256).hexdigest() for the same inputs.
Ready to get started? It's free, no registration required, and your files never leave your device.
PDF Tool →Frequently Asked Questions
How do I verify a Stripe webhook with this tool?
Stripe signs webhook payloads with HMAC-SHA256 using your webhook signing secret. Paste the raw request body as the message, enter your signing secret, select HMAC-SHA256, and compare the output to the Stripe-Signature header (after stripping the v1= prefix and timestamp). They should match.
Can HMAC be reversed to recover the original message?
No. HMAC produces a fixed-length digest and is not reversible. The goal is verification, not encryption. Given the HMAC output and the secret key, an attacker cannot recover the original message from the digest alone.
What secret key length is recommended for HMAC-SHA256?
RFC 2104 recommends a key at least as long as the hash output, which is 32 bytes for HMAC-SHA256. Longer keys provide no additional security once they exceed the block size (64 bytes for SHA-256). A 32-byte randomly generated key is the practical standard.