Which HMAC algorithm should I use?

HMAC-SHA256 for most applications. HMAC-SHA512 for higher-security contexts. HMAC-MD5 and HMAC-SHA1 are still structurally secure but should be avoided due to the underlying hash weaknesses.

What's the key length requirement?

Any length works, but RFC 2104 recommends keys as long as the hash output (32 bytes for SHA-256). Keys longer than the block size are hashed first. Shorter keys reduce effective security.

How do I verify an HMAC?

Recompute the HMAC with the same key and compare using constant-time comparison (prevents timing attacks). Use the companion Hash Verifier tool for verification workflow.

HMAC Generator v2 | DevTools Surf

DevTools Surf

About HMAC Generator v2

HMAC Generator v2 preview - Security / Crypto tool

Generate HMAC with multiple algorithms. Part of the DevTools Surf developer suite. Browse more tools in the Security / Crypto collection.

Use Cases

Generate HMAC signatures for Stripe, GitHub, or AWS webhook payload verification.
Sign API requests to a backend that verifies request integrity before processing.
Create message authentication codes for data stored in tamper-evident logs.
Demonstrate HMAC signing workflow to developers integrating with a signed API.

Tips

HMAC-SHA256 is the standard for API request signing — most cloud providers (AWS SigV4, Stripe) use it for webhook and API signature verification.
The secret key should be at least 256 bits (32 bytes) of entropy for HMAC-SHA256 — shorter keys reduce security to the key length, not the hash algorithm's strength.
Generate separate HMAC keys for each environment (dev, staging, prod) and rotate them on a schedule.

Fun Facts

HMAC (Hash-based Message Authentication Code) was formalized in RFC 2104 in 1997 by Bellare, Canetti, and Krawczyk. It is still considered cryptographically secure with any modern hash function.
HMAC differs from a simple keyed hash by applying the key twice — once as an inner padding and once as an outer padding — making it resistant to length-extension attacks that break plain H(key||message).
AWS Signature Version 4 (SigV4), used by every AWS API call, derives a signing key through four nested HMAC-SHA256 operations: date, region, service, and termination string.

FAQ

Which HMAC algorithm should I use?: HMAC-SHA256 for most applications. HMAC-SHA512 for higher-security contexts. HMAC-MD5 and HMAC-SHA1 are still structurally secure but should be avoided due to the underlying hash weaknesses.
What's the key length requirement?: Any length works, but RFC 2104 recommends keys as long as the hash output (32 bytes for SHA-256). Keys longer than the block size are hashed first. Shorter keys reduce effective security.
How do I verify an HMAC?: Recompute the HMAC with the same key and compare using constant-time comparison (prevents timing attacks). Use the companion Hash Verifier tool for verification workflow.

Related Security / Crypto Tools

Hash Generator v2 JWT Encoder Bcrypt Hash Tester HMAC Generator Password Strength Analyzer TOTP / 2FA Generator SAML Response Decoder OAuth PKCE Generator