HMAC Generator

While regular hashing functions like SHA-256 prove data integrity ("this file hasn't been modified"), they don't prove origin ("this file came from someone I trust"). HMAC (Hash-based Message Authentication Code) solves that by combining a message with a secret key, producing a signature that only someone with the secret key could have generated. This tool creates HMAC signatures used in API authentication, webhook verification, and digital signatures.

How HMAC differs from plain hashing

If you hash a message, anyone can verify the hash matches—they just recompute it. But with HMAC, you hash the message combined with a secret key. An attacker who intercepts the message and hash cannot create a valid HMAC for a modified message without knowing the secret key. This makes HMAC perfect for situations where you need to prove both integrity and authenticity.

Real-world HMAC usage

Web APIs frequently use HMAC for request signing. A client hashes their request body with their secret API key and includes the resulting signature in the request. The server repeats this calculation and verifies the signature matches—proving the request came from the legitimate client and wasn't tampered with. Webhook providers use the same approach: they sign the webhook payload with their secret, and you verify the signature before processing the webhook.

Algorithm selection

This tool supports HMAC with SHA-1, SHA-256, SHA-384, and SHA-512. Prefer SHA-256 or higher for new applications. SHA-1 is older and less secure, though for HMAC specifically (rather than plain hashing), SHA-1 remains acceptable in some legacy systems.

Key management

The strength of HMAC depends entirely on keeping the secret key secret. If your API key or signing key is compromised, attackers can forge valid signatures. Store keys securely (in environment variables or secrets managers), never commit them to version control, and rotate them periodically.