Loading HMAC Generator...
Compute and verify HMAC message authentication codes (HMAC-SHA256, SHA-512, SHA-1, SHA-384, MD5) for API request signing and webhook signature validation. Runs entirely in your browser.
Generate and verify HMAC message authentication codes (SHA-256, SHA-512, SHA-1, SHA-384, MD5) for API request signing and webhook signature validation. Runs in your browser.
An HMAC (hash-based message authentication code) combines a message with a secret key to produce a signature that proves both the integrity and the authenticity of the message - only someone with the key can produce or verify it. This tool generates HMACs with the common algorithms (HMAC-SHA256, SHA-512, SHA-1, SHA-384, MD5) and can also verify a message against an expected HMAC, which is exactly what you do when validating an incoming webhook signature. Keys can be UTF-8 text, hex, or base64, and output is shown in hex and base64. Everything runs locally.
Input:
message "hello", key "secret", HMAC-SHA256
Output:
88aab3ede8d3adf94d26ab90d3bafd4a2083070c3bcce9c014ee04a443847c0b
How do I verify a webhook signature?
Paste the raw request body as the message and your endpoint's signing secret as the key, pick the algorithm the provider uses (usually HMAC-SHA256), switch to Verify, and paste the signature header value (e.g. Stripe's v1=, GitHub's X-Hub-Signature-256). A match confirms the webhook is authentic.
What is the difference between a hash and an HMAC?
A plain hash (like SHA-256) only proves integrity and anyone can compute it. An HMAC mixes in a secret key, so it also proves the message came from someone who holds that key - it authenticates the sender.
What key encodings are supported?
UTF-8 text, hexadecimal, and base64. Choose the encoding that matches how your secret is stored so the bytes are interpreted correctly.
Is my data sent anywhere?
No. The message and key are processed entirely in your browser and never leave your device.