HMAC Generator
Generate HMAC hashes instantly
Message and Secret
Generate HMAC (Hash-based Message Authentication Code) signatures for API authentication, JWT signing, and message integrity verification. Support for SHA-256, SHA-512, and other algorithms with browser-based processing — no server transmission.
HMAC for Secure Message Authentication and API Signatures
HMAC (Hash-based Message Authentication Code) is a cryptographic mechanism that combines a secret key with a hash function to create a signature that verifies both the authenticity and integrity of a message. Unlike simple hash functions that produce the same output for the same input regardless of who computes it, HMAC requires knowledge of the secret key to generate or verify the signature. This asymmetry makes HMAC ideal for scenarios where two parties share a secret and need to authenticate messages exchanged over untrusted channels.
The security of HMAC relies on two components: the quality of the underlying hash function (SHA-256, SHA-512) and the entropy of the shared secret key. A weak or short key is vulnerable to brute-force attacks; a weak hash function can be susceptible to collision attacks. Modern best practices recommend using HMAC-SHA-256 or HMAC-SHA-512 with a key at least 256 bits (32 bytes) in length.
OmniToolsKit's HMAC generator runs entirely in your browser using the Web Crypto API, ensuring that your secret keys never leave your device. The tool supports all major hash algorithms, displays output in hex or Base64 format, and includes a verification mode where you can check whether a given HMAC signature validates for a message and key pair.
API Request Authentication
Many APIs (AWS, Stripe, GitHub) require HMAC signing of requests to prove client identity. Clients sign request payloads with a secret API key, and servers verify the signature.
JWT Token Signature Verification
JSON Web Tokens use HMAC to sign the header and payload, allowing token recipients to verify the token wasn't tampered with after issuance.
Webhook Data Integrity Validation
When services deliver webhooks, they sign the payload with a shared secret. Receivers compute the HMAC of the payload and compare with the signature to detect tampering.
Session Token Security
Applications sign session tokens with an HMAC to prevent users from forging their own sessions, even if they can read the token content.
- 1
Enter Your Message
Type or paste the message you want to authenticate. This could be an API request body, a session token, webhook payload, or any data that needs authentication.
- 2
Provide Your Secret Key
Enter the shared secret key in hex, Base64, or plaintext format. For API authentication, this is typically your API secret key. Use a strong, random key at least 32 bytes long.
- 3
Select Hash Algorithm
Choose from SHA-256 (recommended), SHA-512, SHA-1 (legacy), or MD5 (non-secure). SHA-256 is the industry standard for security-critical applications.
- 4
Generate and Copy HMAC Signature
Click 'Generate' to compute the HMAC. The signature appears in hex and Base64 formats. Copy it for inclusion in API requests, tokens, or verification payloads.
SHA-256, SHA-512, SHA-1, and MD5 Support
Support for all standard HMAC variants. SHA-256 recommended for security. Legacy options for backward compatibility with older systems.
Flexible Key Input Formats
Accept keys in plaintext, hexadecimal, or Base64 encoding. Auto-detect format or specify manually for unambiguous input.
Hex and Base64 Output Formats
Output HMAC signatures in hex (lowercase/uppercase) or Base64 encoding depending on your API or protocol requirements.
Signature Verification Mode
Verify whether a given HMAC signature is valid for a message and key pair using timing-safe constant-time comparison to prevent timing attacks.
100% Browser-Based — Zero Server Transmission
All HMAC computation uses the Web Crypto API locally. Your message and secret key never leave your device, ensuring maximum confidentiality.
Found this tool useful?
Share your experience and help others discover it.