Dev / Crypto

HMAC Generator.

Keyed-hash message authentication codes prove a message was not tampered with and was signed by someone who knows the secret. Paste message + key, pick SHA-256, SHA-384, or SHA-512, then copy hex or Base64 with one click.

HMAC (hex)
HMAC (base64)

When to use HMAC

HMAC is the standard way APIs sign webhooks and JWTs (HS256). Unlike a plain hash, an attacker cannot recompute the MAC without the secret key. SHA-256 is the default for new work; SHA-384 and SHA-512 appear in compliance-heavy environments and some cloud signing schemes. This tool uses crypto.subtle — the same Web Crypto API your browser uses for TLS.

Further reading: what client-side really means for secrets.

Copied