HMAC Generator (SHA-1, SHA-256, SHA-512)
Sign a message with a secret key using HMAC-SHA-1, SHA-256 or SHA-512. Output is hex.
Quick answer: Sign a message with a secret key using HMAC-SHA-1, SHA-256 or SHA-512. Output is hex.
Last updated
Frequently asked questions
- How do I compute an HMAC?
- Type the secret key and the message. The HMAC hex updates live as you type. Copy with one click.
- Which algorithm should I use?
- HMAC-SHA-256 is the safe modern default for webhooks, API signatures and cookie signing. Use SHA-512 if a counterpart specifies it.
- What's the difference between hash and HMAC?
- A hash takes only data; an HMAC takes data + a secret key. Without the key, an attacker can't forge a valid HMAC for new data.
- Are the key and message sent to a server?
- No. HMAC computation runs entirely in your browser, so even production secrets are safe to paste.
- How are inputs encoded?
- Both the key and the message are UTF-8 encoded before being signed — the standard convention for web APIs.
- Why does my output differ from a webhook signature?
- Most often: trailing whitespace, the wrong key, or the algorithm mismatch (SHA-1 vs SHA-256). Some services also base64-encode the result instead of hex.
- Can I get base64 output?
- Not yet in this tool. For base64, run the hex through the Base64 Encoder/Decoder after converting to bytes.
- Is HMAC-SHA-1 still safe?
- Yes for HMAC use specifically — collision attacks on SHA-1 don't break HMAC-SHA-1, but new systems should use SHA-256.
- Can I sign multi-line messages?
- Yes — newlines are part of the bytes. Make sure your counterpart uses the same line-ending convention (LF vs CRLF).
- Is this HMAC generator free?
- Yes — free, no signup, no limits.