Dev / Crypto
HMAC Generator.
Keyed-hash message authentication codes prove a message was not tampered with and was signed by someone who knows the secret. Paste message + key, pick SHA-256, SHA-384, or SHA-512, then copy hex or Base64 with one click.
HMAC (hex)
—
HMAC (base64)
—
When to use HMAC
HMAC is the standard way APIs sign webhooks and JWTs (HS256). Unlike a plain hash, an attacker cannot recompute the MAC without the secret key. SHA-256 is the default for new work; SHA-384 and SHA-512 appear in compliance-heavy environments and some cloud signing schemes. This tool uses crypto.subtle — the same Web Crypto API your browser uses for TLS.
Further reading: what client-side really means for secrets.