HMAC Generator

What is HMAC Generator?

The HMAC Generator is a free online tool that computes a keyed hash message authentication code (HMAC) from any text message and a shared secret key. It supports SHA-1, SHA-256, SHA-384, and SHA-512 as the underlying hash, and outputs the signature as lowercase hexadecimal or Base64. Developers reach for it to sign webhook payloads, build and verify API request signatures, generate tamper-evident tokens, or check that a value matches an expected signature from another system. The signature recomputes live as you edit the message, key, algorithm, or encoding, and runs entirely in the browser through the Web Crypto API. Common searches include "hmac sha256 generator", "hmac online", "hmac base64", and "hmac signature calculator".

How to use HMAC Generator

1. Type or paste the message you want to sign into the Input box.
2. Enter your shared secret key in the Secret key field.
3. Pick the hash algorithm — SHA-1, SHA-256, SHA-384, or SHA-512 — from the dropdown.
4. Switch the output between Hex and Base64 with the encoding toggle.
5. Watch the HMAC update automatically as you change any field, then click Copy to put the signature on your clipboard.

Examples

message: The quick brown fox
key: secret
algorithm: SHA-256
encoding: Hex

7a284e5025f32a846fa3e6957d10278eb5726dd4e0b04c8e0259defcd2cd0eb1

message: The quick brown fox
key: secret
algorithm: SHA-256
encoding: Base64

eihOUCXzKoRvo+aVfRAnjrVybdTgsEyOAlne/NLNDrE=

Frequently asked questions

Which hash algorithms and encodings are supported?

The underlying hash can be SHA-1, SHA-256, SHA-384, or SHA-512, selected from the dropdown. The signature is shown either as lowercase hexadecimal or as Base64, chosen with the encoding toggle.

Are my message and secret key uploaded anywhere?

No. The HMAC is computed 100% client-side in your browser with the Web Crypto API. Neither the message nor the secret key is ever sent to a server, so it is safe to use with real keys.

Do I need to click a button to compute the HMAC?

No. The signature recomputes live whenever you change the message, key, algorithm, or encoding. The button only copies the current result to your clipboard.

How is the secret key treated?

The key field is a password input, so its value is masked on screen and is deliberately excluded from saved workspace state. The key is used only in your browser to derive the HMAC.

Why does my HMAC differ from another tool's?

An HMAC depends exactly on the message bytes, the key bytes, and the chosen hash. Trailing whitespace or newlines in the message or key, a different algorithm, or hex versus Base64 output will all change the result. The message and key here are treated as UTF-8 text.