100% client-side — your input and secret keys never leave your browser.Verify

HMAC Generator

Generate HMAC signatures (MD5, SHA-1, SHA-256, SHA-384, SHA-512) for webhook verification, JWT signing, and API authentication. Hex or Base64 output. Your secret key stays in this tab.

Drag & drop a file here, or click to browse

HMAC-MD5 legacy
HMAC-SHA-1
HMAC-SHA-256
HMAC-SHA-384
HMAC-SHA-512

What is HMAC?

HMAC (Hash-based Message Authentication Code, RFC 2104) combines a cryptographic hash function with a shared secret key. Unlike a plain hash, an HMAC proves both that a message has not been tampered with and that it comes from someone who holds the secret. Two parties compute the same HMAC over the same payload; anyone without the secret cannot forge a valid signature.

When to use HMAC

  • Webhook signature verification. Recompute the HMAC on your end with the partner's secret and compare to the header. Common providers:
    • Stripe-Signature — HMAC-SHA-256, hex.
    • X-Hub-Signature-256 (GitHub) — HMAC-SHA-256, hex.
    • X-Slack-Signature — HMAC-SHA-256, hex with v0= prefix.
    • X-Twilio-Signature — HMAC-SHA-1, Base64.
    • Azure Event Grid — HMAC-SHA-256, Base64.
  • JWT HS256 / HS384 / HS512. The signing step of a symmetric JSON Web Token is exactly an HMAC over base64url(header) + "." + base64url(payload), output as Base64url.
  • AWS Signature Version 4. SigV4 requires nested HMAC-SHA-256 over the canonical request, output as hex.
  • Azure SAS tokens. HMAC-SHA-256 over the URI + expiry, output as Base64.
  • CSRF and session tokens. An HMAC binds a token to a server secret so it cannot be tampered with client-side.

HMAC vs plain hash

A plain SHA-256 of payload proves integrity but not origin — anyone can recompute it. An HMAC-SHA-256 of payload with a shared secret proves both: integrity, and that the sender knew the secret. That's the difference between "this file wasn't corrupted in transit" and "this request was authorized by my partner."

Why HMAC-MD5 is still here

MD5 itself is broken for collision resistance since 2004. HMAC-MD5 is not — it relies on MD5's PRF (pseudo-random function) property, which has no known practical attack. RFC 6151 and NIST SP 800-131A discourage HMAC-MD5 for new protocols, but it remains required for legacy interoperability: NTLM and Active Directory authentication, RADIUS, CHAP, DIGEST-MD5 SASL, and TLS 1.0/1.1 audit. Listed here so you can compute it without falling back to a desktop tool — not as a recommendation for new code.

Hex vs Base64 output

Hex is what Stripe, GitHub, Slack and AWS SigV4 use. Base64 is what Twilio, Azure and JWT (as Base64url) use. Toggle above to match your partner's format. Comparison below auto-matches either format.

Implementation

HMAC-SHA-* uses the browser's native crypto.subtle.sign('HMAC', …), bit-for-bit identical to openssl dgst -mac HMAC -macopt key:<secret>. HMAC-MD5 is implemented in pure JavaScript inside this page (Web Crypto does not expose MD5). All five algorithms run on your device — no request leaves your browser. Open DevTools → Network before pasting your secret to verify.