What is HMAC used for?

HMAC is used to verify both the integrity and authenticity of a message. Common uses: webhook signature verification (GitHub, Stripe, Shopify all use HMAC-SHA256), API request signing, and cookie authentication tokens.

Is this safe to use with real secret keys?

All processing is done in your browser using the Web Crypto API — nothing is sent to a server. However, treat any shared secret key with care. Use test keys when verifying HMAC logic.

What is the difference between HMAC and a regular hash?

A regular hash (SHA-256) depends only on the input data — anyone can compute it. HMAC also requires a secret key, so only parties with the key can produce or verify the signature. This prevents tampering.

How do I verify a GitHub webhook HMAC?

GitHub uses HMAC-SHA256. Compute HMAC-SHA256 of the raw request body using your webhook secret as the key. Compare with the X-Hub-Signature-256 header (strip the "sha256=" prefix). A match confirms the webhook is genuine.

HMAC Generator

Generates HMAC (Hash-based Message Authentication Code) signatures using the browser's Web Crypto API. Supports HMAC-SHA-256, HMAC-SHA-384, HMAC-SHA-512, and HMAC-SHA-1. Enter your message and secret key to get the hex and Base64 HMAC output. Used for webhook signature verification and API request signing.

Runs entirely in your browser — your input is never uploaded, stored, or logged.

Enter your message and secret key to generate an HMAC signature instantly. For simple hashing without a key, use the Hash Generator.

Examples

Webhook verification

Input

Message: "hello", Key: "secret"

Output

HMAC-SHA256: 88aab3ede8d3adf94d26ab90d3bafd4a2083070c3bcce9c014ee04a443847c0b

Frequently Asked Questions

Related Tools

New

Hash Generator

Generate MD5, SHA-1, SHA-256, SHA-512 hashes from text.

New

Token & API Key Generator

Generate cryptographically secure tokens, API keys, and secrets.

New

Password Strength Checker

Check password strength against security criteria and estimate crack time.

New

Hex Encoder / Decoder

Encode text to hexadecimal or decode hex back to text.

New

Credit Card Validator

Validate credit card numbers using the Luhn algorithm.

New

IBAN Validator

Validate and parse International Bank Account Numbers (IBANs).